Policy > Security

Associated URIs:

API Description API Path

List all Service Definitions registered on given enforcement point.


List all Service Definitions registered on given enforcement point.
GET /policy/api/v1/enforcement-points/<enforcement-point-id>/service-definitions

Create a Service Definition on given enforcement point.


Create a Service Definition on given enforcement point.
POST /policy/api/v1/enforcement-points/<enforcement-point-id>/service-definitions

Delete an existing Service Definition on the given enforcement point


Delete an existing Service Definition on the given enforcement point.
DELETE /policy/api/v1/enforcement-points/<enforcement-point-id>/service-definitions/<service-definition-id>

Read Service Definition with given service-definition-id.


Read Service Definition with given service-definition-id.
GET /policy/api/v1/enforcement-points/<enforcement-point-id>/service-definitions/<service-definition-id>

Update an existing Service Definition on the given enforcement point


Update an existing Service Definition on the given enforcement point.
PUT /policy/api/v1/enforcement-points/<enforcement-point-id>/service-definitions/<service-definition-id>

List all DNS security profiles


List all DNS security profiles
GET /policy/api/v1/infra/dns-security-profiles
GET /policy/api/v1/global-infra/dns-security-profiles

Delete DNS security profile


Delete DNS security profile
DELETE /policy/api/v1/global-infra/dns-security-profiles/<profile-id>
DELETE /policy/api/v1/infra/dns-security-profiles/<profile-id>

Read the DNS Forwarder for the given tier-0 instance


Read the DNS Forwarder for the given tier-0 instance
GET /policy/api/v1/global-infra/dns-security-profiles/<profile-id>
GET /policy/api/v1/infra/dns-security-profiles/<profile-id>

Create or update DNS security profile


Create or update DNS security profile
PATCH /policy/api/v1/global-infra/dns-security-profiles/<profile-id>
PATCH /policy/api/v1/infra/dns-security-profiles/<profile-id>

Create or update DNS security profile


Create or update DNS security profile
PUT /policy/api/v1/global-infra/dns-security-profiles/<profile-id>
PUT /policy/api/v1/infra/dns-security-profiles/<profile-id>

List communication maps


List all communication maps for a domain.
This API is deprecated. Please use the following API instead.
GET /infra/domains/domain-id/security-policies
GET /policy/api/v1/infra/domains/<domain-id>/communication-maps (Deprecated)

Deletes a communication map from this domain


Deletes the communication map along with all the communication entries
This API is deprecated. Please use the following API instead.
DELETE /infra/domains/domain-id/security-policies/security-policy-id
DELETE /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id> (Deprecated)

Read communication-map


Read communication-map for a domain.
This API is deprecated. Please use the following API instead.
GET /infra/domains/domain-id/security-policies/security-policy-id
GET /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id> (Deprecated)

Patch communication map


Patch the communication map for a domain. If a communication map for the
given communication-map-id is not present, the object will get created and
if it is present it will be updated. This is a full replace
This API is deprecated. Please use the following API instead.
PATCH /infra/domains/domain-id/security-policies/security-policy-id
PATCH /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id> (Deprecated)

Revise the positioning of communication maps


This is used to set a precedence of a communication map w.r.t others.
This API is deprecated. Please use the following API instead.
POST /infra/domains/domain-id/security-policies/security-policy-id?action=revise
POST /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>?action=revise (Deprecated)

Create or Update communication map


Create or Update the communication map for a domain. This is a full replace.
All the CommunicationEntries are replaced.
This API is deprecated. Please use the following API instead.
PUT /infra/domains/domain-id/security-policies/security-policy-id
PUT /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id> (Deprecated)

List CommunicationEntries


List CommunicationEntries
This API is deprecated. Please use the following API instead.
GET /infra/domains/domain-id/security-policies/security-policy-id/rules
GET /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries (Deprecated)

Delete CommunicationEntry


Delete CommunicationEntry
This API is deprecated. Please use the following API instead.
DELETE /infra/domains/domain-id/security-policies/security-policy-id/rules/rule-id
DELETE /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries/<communication-entry-id> (Deprecated)

Read CommunicationEntry


Read CommunicationEntry
This API is deprecated. Please use the following API instead.
GET /infra/domains/domain-id/security-policies/security-policy-id/rules/rule-id
GET /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries/<communication-entry-id> (Deprecated)

Patch a CommunicationEntry


Patch the CommunicationEntry. If a communication entry for the given
communication-entry-id is not present, the object will get created and if
it is present it will be updated. This is a full replace
This API is deprecated. Please use the following API instead.
PATCH /infra/domains/domain-id/security-policies/security-policy-id/rules/rule-id
PATCH /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries/<communication-entry-id> (Deprecated)

Revise the positioning of communication entry


This is used to re-order a communictation entry within a communication map.
This API is deprecated. Please use the following API instead.
POST /infra/domains/domain-id/security-policies/security-policy-id/rules/rule-id?action=revise
POST /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries/<communication-entry-id>?action=revise (Deprecated)

Create or update a CommunicationEntry


Update the CommunicationEntry. If a CommunicationEntry with the communication-entry-id
is not already present, this API fails with a 404. Creation of CommunicationEntries
is not allowed using this API.
This API is deprecated. Please use the following API instead
PUT /infra/domains/domain-id/security-policies/securit-policy-id/rules/rule-id
PUT /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries/<communication-entry-id> (Deprecated)

Delete Endpoint policy


Delete Endpoint policy.
DELETE /policy/api/v1/infra/domains/<domain-id>/endpoint-policies/<endpoint-policy-id>

Read Endpoint policy


Read Endpoint policy.
GET /policy/api/v1/infra/domains/<domain-id>/endpoint-policies/<endpoint-policy-id>

Create or update Endpoint policy


Create or update the Endpoint policy.
PATCH /policy/api/v1/infra/domains/<domain-id>/endpoint-policies/<endpoint-policy-id>

Create or update Endpoint policy


Create or update the Endpoint policy.
PUT /policy/api/v1/infra/domains/<domain-id>/endpoint-policies/<endpoint-policy-id>

List Endpoint rules


List Endpoint rules
GET /policy/api/v1/infra/domains/<domain-id>/endpoint-policies/<endpoint-policy-id>/endpoint-rules

Delete EndpointRule


Delete EndpointRule
DELETE /policy/api/v1/infra/domains/<domain-id>/endpoint-policies/<endpoint-policy-id>/endpoint-rules/<endpoint-rule-id>

Read Endpoint rule


Read Endpoint rule
GET /policy/api/v1/infra/domains/<domain-id>/endpoint-policies/<endpoint-policy-id>/endpoint-rules/<endpoint-rule-id>

Update Endpoint rule


Create a Endpoint rule with the endpoint-rule-id is not already present,
otherwise update the Endpoint Rule.
PATCH /policy/api/v1/infra/domains/<domain-id>/endpoint-policies/<endpoint-policy-id>/endpoint-rules/<endpoint-rule-id>

Update Endpoint rule


Create a Endpoint rule with the endpoint-rule-id is not already present,
otherwise update the Endpoint Rule.
PUT /policy/api/v1/infra/domains/<domain-id>/endpoint-policies/<endpoint-policy-id>/endpoint-rules/<endpoint-rule-id>

List gateway policies


List all gateway policies for specified Domain.
GET /policy/api/v1/infra/domains/<domain-id>/gateway-policies
GET /policy/api/v1/global-infra/domains/<domain-id>/gateway-policies

Delete GatewayPolicy


Delete GatewayPolicy
DELETE /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>

Read gateway policy


Read gateway policy for a domain.
GET /policy/api/v1/global-infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>
GET /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>

Update gateway policy


Update the gateway policy for a domain. This is a full replace.
All the rules are replaced.
Performance Note: If you want to edit several rules in a gateway policy
use this API. It will perform better than several individual rule APIs.
Just pass all the rules which you wish to edit as embedded rules to it.
PATCH /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>

Revise the positioning of gateway policy


This is used to set a precedence of a gateway policy w.r.t others.
POST /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>?action=revise

Update gateway policy


Update the gateway policy for a domain. This is a full replace.
All the rules are replaced.
Performance Note: If you want to edit several rules in a gateway policy,
use this API. It will perform better than several individual rule APIs.
Just pass all the rules which you wish to edit as embedded rules to it.
PUT /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>

List rules


List rules
GET /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules
GET /policy/api/v1/global-infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules

Delete rule


Delete rule
DELETE /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules/<rule-id>

Read rule


Read rule
GET /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules/<rule-id>
GET /policy/api/v1/global-infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules/<rule-id>

Update gateway rule


Update the gateway rule.
Create new rule if a rule with the rule-id is not already present.
Performance Note: If you want to edit several rules in a gateway policy,
prefer below mentioned API for optimal performance.
Pass all the rules which you wish to edit as embedded rules to it.
Use this API - PATCH (or PUT)
/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>

Concurrency Note: Concurrent firewall rule creation is not supported under the same Gateway Policy.
PATCH /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules/<rule-id>

Revise the positioning of gateway rule


This is used to re-order a gateway rule within a gateway policy.
POST /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules/<rule-id>?action=revise

Update gateway rule


Update the gateway rule.
Create new rule if a rule with the rule-id is not already present.
Performance Note: If you want to edit several rules in a gateway policy,
prefer below mentioned API for optimal performance.
Pass all the rules which you wish to edit as embedded rules to it.
Use this API - PATCH (or PUT)
/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>

Concurrency Note: Concurrent firewall rule creation is not supported under the same Gateway Policy.
PUT /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules/<rule-id>

Get gateway rule statistics


Get statistics of a gateway rule.
- no enforcement point path specified: Stats will be evaluated on each enforcement.
point.
- {enforcement_point_path}: Stats are evaluated only on the given enforcement point.
GET /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules/<rule-id>/statistics
GET /policy/api/v1/global-infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules/<rule-id>/statistics

Get gateway policy statistics


Get statistics of a gateay policy.
- no enforcement point path specified: Stats will be evaluated on each enforcement.
point.
- {enforcement_point_path}: Stats are evaluated only on the given enforcement point.
GET /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/statistics
GET /policy/api/v1/global-infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/statistics

Get DNS security profile binding map


API will get DNS security profile binding map
GET /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/dns-security-profile-binding-maps
GET /policy/api/v1/global-infra/domains/<domain-id>/groups/<group-id>/dns-security-profile-binding-maps

Delete DNS security profile binding map


API will delete DNS security profile binding map
DELETE /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/dns-security-profile-binding-maps/<dns-security-profile-binding-map-id>

Get DNS security profile binding map


API will get DNS security profile binding map
GET /policy/api/v1/global-infra/domains/<domain-id>/groups/<group-id>/dns-security-profile-binding-maps/<dns-security-profile-binding-map-id>
GET /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/dns-security-profile-binding-maps/<dns-security-profile-binding-map-id>

Create or update DNS security profile binding map


API will create or update DNS security profile binding map
PATCH /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/dns-security-profile-binding-maps/<dns-security-profile-binding-map-id>

Update DNS security profile binding map


API will update DNS security profile binding map
PUT /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/dns-security-profile-binding-maps/<dns-security-profile-binding-map-id>

List Firewall Flood Protection Profile Binding Maps


API will list all Firewall Flood Protection Profile Binding Maps in current group id.
GET /policy/api/v1/global-infra/domains/<domain-id>/groups/<group-id>/firewall-flood-protection-profile-binding-maps
GET /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/firewall-flood-protection-profile-binding-maps

Delete Firewall Flood Protection Profile Binding


API will delete Firewall Flood Protection Profile Binding
DELETE /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/firewall-flood-protection-profile-binding-maps/<firewall-flood-protection-profile-binding-map-id>

Get Firewall Flood Protection Profile Binding Map


API will get Firewall Flood Protection Profile Binding Map
GET /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/firewall-flood-protection-profile-binding-maps/<firewall-flood-protection-profile-binding-map-id>
GET /policy/api/v1/global-infra/domains/<domain-id>/groups/<group-id>/firewall-flood-protection-profile-binding-maps/<firewall-flood-protection-profile-binding-map-id>

Create or update Firewall Flood Protection Profile Binding Map


API will create or update Firewall Flood Protection profile binding map
PATCH /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/firewall-flood-protection-profile-binding-maps/<firewall-flood-protection-profile-binding-map-id>

Update Firewall Flood Protection Profile Binding Map


API will update Firewall Flood Protection Profile Binding Map
PUT /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/firewall-flood-protection-profile-binding-maps/<firewall-flood-protection-profile-binding-map-id>

List Firewall Session Timer Profile Binding Maps


API will list all Firewall Session Timer Profile Binding Maps in current group id.
GET /policy/api/v1/global-infra/domains/<domain-id>/groups/<group-id>/firewall-session-timer-profile-binding-maps
GET /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/firewall-session-timer-profile-binding-maps

Delete Firewall Session Timer Profile Binding


API will delete Firewall Session Timer Profile Binding
DELETE /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/firewall-session-timer-profile-binding-maps/<firewall-session-timer-profile-binding-map-id>

Get Firewall Session Timer Profile Binding Map


API will get Firewall Session Timer Profile Binding Map
GET /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/firewall-session-timer-profile-binding-maps/<firewall-session-timer-profile-binding-map-id>
GET /policy/api/v1/global-infra/domains/<domain-id>/groups/<group-id>/firewall-session-timer-profile-binding-maps/<firewall-session-timer-profile-binding-map-id>

Create or update Firewall Session Timer Profile Binding Map


API will create or update Firewall Session Timer profile binding map
PATCH /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/firewall-session-timer-profile-binding-maps/<firewall-session-timer-profile-binding-map-id>

Update Firewall Session Timer Profile Binding Map


API will update Firewall Session Timer Profile Binding Map
PUT /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/firewall-session-timer-profile-binding-maps/<firewall-session-timer-profile-binding-map-id>

List Group Monitoring Profile Binding Maps


API will list all Group Monitoring Profile Binding Maps in current group id.
GET /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/group-monitoring-profile-binding-maps
GET /policy/api/v1/global-infra/domains/<domain-id>/groups/<group-id>/group-monitoring-profile-binding-maps

Delete Group Monitoring Profile Binding


API will delete Group Monitoring Profile Binding
DELETE /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/group-monitoring-profile-binding-maps/<group-monitoring-profile-binding-map-id>

Get Group Monitoring Profile Binding Map


API will get Group Monitoring Profile Binding Map
GET /policy/api/v1/global-infra/domains/<domain-id>/groups/<group-id>/group-monitoring-profile-binding-maps/<group-monitoring-profile-binding-map-id>
GET /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/group-monitoring-profile-binding-maps/<group-monitoring-profile-binding-map-id>

Create Group Monitoring Profile Binding Map


API will create group monitoring profile binding map
PATCH /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/group-monitoring-profile-binding-maps/<group-monitoring-profile-binding-map-id>

Update Group Monitoring Profile Binding Map


API will update Group Monitoring Profile Binding Map
PUT /policy/api/v1/infra/domains/<domain-id>/groups/<group-id>/group-monitoring-profile-binding-maps/<group-monitoring-profile-binding-map-id>

List IDS gateway policies


List all IDS gateway policies for specified Domain.
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies

Delete IDS GatewayPolicy


Delete IDS GatewayPolicy
DELETE /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>

Read IDS gateway policy


Read IDS gateway policy for a domain.
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>

Update IDS gateway policy


Update the IDS gateway policy for a domain.
PATCH /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>

Revise the positioning of IDS gateway policy


This is used to set a precedence of a IDS gateway policy w.r.t others.
POST /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>?action=revise

Update IDS gateway policy


Update the IDS gateway policy for a domain.
PUT /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>

List IDS Gateway rules


List IDS Gateway rules
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>/rules

Delete IDS Gateway rule


Delete IDS Gateway rule
DELETE /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>/rules/<rule-id>

Read IDS rule


Read IDS rule
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>/rules/<rule-id>

Update IDS gateway rule


Update the gateway rule.
PATCH /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>/rules/<rule-id>

Revise the positioning of IDS gateway rule


This is used to re-order a IDS gateway rule within a IDS gateway policy.
POST /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>/rules/<rule-id>?action=revise

Create or Update IDS gateway rule


Create or Update the IDS gateway rule.
PUT /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>/rules/<rule-id>

Get IDS gateway rule statistics


Get statistics of a IDS gateway rule.
- no enforcement point path specified: Stats will be evaluated on each enforcement.
point.
- {enforcement_point_path}: Stats are evaluated only on the given enforcement point.
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>/rules/<rule-id>/statistics

Get IDS gateway policy statistics


Get statistics of a IDS gateway policy.
- no enforcement point path specified: Stats will be evaluated on each enforcement.
point.
- {enforcement_point_path}: Stats are evaluated only on the given enforcement point.
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-gateway-policies/<policy-id>/statistics

List IDS security policies


List intrusion detection system security policies.
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies

Get IDS/IPS rule statistics


Get statistics of a IDS/IPS rule.
- no enforcement point path specified: Stats will be evaluated on each enforcement
point.
- {enforcement_point_path}: Stats are evaluated only on the given enforcement point.
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<ids-policy-id>/rules/<rule-id>/statistics

Get IDS security policy statistics


Get statistics of a IDS security policy.
- no enforcement point path specified: Stats will be evaluated on each enforcement
point.
- {enforcement_point_path}: Stats are evaluated only on the given enforcement point.
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<ids-policy-id>/statistics

Delete IDS security policy


Delete intrusion detection system security policy.
DELETE /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<policy-id>

Get IDS security policy.


Read intrusion detection system security policy.
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<policy-id>

Patch IDS security policy


Patch intrusion detection system security policy for a domain.
PATCH /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<policy-id>

Revise the positioning of IDS security policies


This is used to set a precedence of a security policy w.r.t others.
POST /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<policy-id>?action=revise

create or update IDS security policy


Update intrusion detection system security policy for a domain.
PUT /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<policy-id>

List IDS rules


List intrusion detection rules.
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<policy-id>/rules

Delete IDS rule


Delete intrusion detection rule.
DELETE /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<policy-id>/rules/<rule-id>

Get IDS rule.


Read intrusion detection rule
GET /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<policy-id>/rules/<rule-id>

Patch IDS rule


Patch intrusion detection system rule.
PATCH /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<policy-id>/rules/<rule-id>

Revise the positioning of IDS rule


This is used to re-order a rule within a security policy.
POST /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<policy-id>/rules/<rule-id>?action=revise

create or update IDS rule


Update intrusion detection system rule.
PUT /policy/api/v1/infra/domains/<domain-id>/intrusion-service-policies/<policy-id>/rules/<rule-id>

List redirection policies for a domain


List redirection policies for a domain
GET /policy/api/v1/infra/domains/<domain-id>/redirection-policies

Delete redirection policy


Delete redirection policy.
DELETE /policy/api/v1/infra/domains/<domain-id>/redirection-policies/<redirection-policy-id>

Read redirection policy


Read redirection policy.
GET /policy/api/v1/infra/domains/<domain-id>/redirection-policies/<redirection-policy-id>

Create or update redirection policy


Create or update the redirection policy.
Performance Note: If you want to edit several rules in a redirection policy
use this API. It will perform better than several individual rule APIs.
Just pass all the rules which you wish to edit as embedded rules to it.
PATCH /policy/api/v1/infra/domains/<domain-id>/redirection-policies/<redirection-policy-id>

Create or update redirection policy


Create or update the redirection policy.
Performance Note: If you want to edit several rules in a redirection policy
use this API. It will perform better than several individual rule APIs.
Just pass all the rules which you wish to edit as embedded rules to it.
PUT /policy/api/v1/infra/domains/<domain-id>/redirection-policies/<redirection-policy-id>

List rules


List rules
GET /policy/api/v1/infra/domains/<domain-id>/redirection-policies/<redirection-policy-id>/rules

Delete RedirectionRule


Delete RedirectionRule
DELETE /policy/api/v1/infra/domains/<domain-id>/redirection-policies/<redirection-policy-id>/rules/<rule-id>

Read rule


Read rule
GET /policy/api/v1/infra/domains/<domain-id>/redirection-policies/<redirection-policy-id>/rules/<rule-id>

Update redirection rule


Create a rule with the rule-id is not already present, otherwise update the rule.
Performance Note: If you want to edit several rules in a redirection
policy, prefer below mentioned API for optimal performance.
Pass all the rules which you wish to edit as embedded rules to it.
Use this API - PATCH (or PUT)
/infra/domains/<domain-id>/redirection-policies/<red-policy-id>
PATCH /policy/api/v1/infra/domains/<domain-id>/redirection-policies/<redirection-policy-id>/rules/<rule-id>

Update redirection rule


Create a rule with the rule-id is not already present, otherwise update the rule.
Performance Note: If you want to edit several rules in a redirection
policy,prefer below mentioned API for optimal performance.
Pass all the rules which you wish to edit as embedded rules to it.
Use this API - PATCH (or PUT)
/infra/domains/<domain-id>/redirection-policies/<red-policy-id>
PUT /policy/api/v1/infra/domains/<domain-id>/redirection-policies/<redirection-policy-id>/rules/<rule-id>

List security policies


List all security policies for a domain.
GET /policy/api/v1/infra/domains/<domain-id>/security-policies
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies

Deletes a security policy from this domain


Deletes the security policy along with all the rules
DELETE /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>

Read security policy


Read security policy for a domain.
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies/<security-policy-id>
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>

Patch security policy


Patch the security policy for a domain. If a security policy for the given
security-policy-id is not present, the object will get created and if it is
present it will be updated. This is a full replace.
Performance Note: If you want to edit several rules in a security policy
use this API. It will perform better than several individual rule APIs.
Just pass all the rules which you wish to edit as embedded rules to it.
PATCH /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>

Revise the positioning of security policies


This is used to set a precedence of a security policy w.r.t others.
POST /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>?action=revise

Create or Update security policy


Create or Update the security policy for a domain. This is a full replace.
All the rules are replaced.
Performance Note: If you want to edit several rules in a security policy,
use this API. It will perform better than several individual rule APIs.
Just pass all the rules which you wish to edit as embedded rules to it.
PUT /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>

List all container cluster span of a security policy


List all container cluster span of a security policy
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/container-cluster-span

Deletes a security policy from this domain


Deletes the security policy along with all the rules
DELETE /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/container-cluster-span/<antrea-cluster-1>

Read container cluster for a security policy


Read container cluster for a security policy.
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/container-cluster-span/<antrea-cluster-1>

Add a container cluster as a span of this security policy


Add a container cluster as a span of this security policy.
If there already exists another object containing the same container cluster
path, an error will be thrown. The container cluster path cannot be modified
If the path has to be modified, then delete this entity and add a new entity
with the desired container cluster path
PATCH /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/container-cluster-span/<container-cluster-id>

Add a container cluster as a span of this security policy


Add a container cluster as a span of this security policy.
If there already exists another object containing the same container cluster
path, an error will be thrown. The container cluster path cannot be modified
If the path has to be modified, then delete this entity and add a new entity
with the desired container cluster path
PUT /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/container-cluster-span/<container-cluster-id>

List rules


List rules
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies/<security-policy-id>/rules
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules

Delete rule


Delete rule
DELETE /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>

Read rule


Read rule
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>

Patch a rule


Patch the rule. If Rule corresponding to the the given rule-id is
not present, the object will get created and if it is present it will be
updated. This is a full replace.
Performance Note: If you want to edit several rules in a security policy,
prefer below mentioned API for optimal performance.
Pass all the rules which you wish to edit as embedded rules to it.
Use this API - PATCH (or PUT)
/infra/domains/<domain-id>/security-policies/<security-policy-id>
PATCH /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>

Revise the positioning of rule


This is used to re-order a rule within a security policy.
POST /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>?action=revise

Create or update a rule


Update the rule. Create new rule if a rule with the rule-id is not already
present.
Performance Note: If you wish to edit several rules in a security policy,
prefer below mentioned API for optimal performance.
Pass all the rules which you wish to edit as embedded rules to it.
Use this API - PATCH (or PUT)
/infra/domains/<domain-id>/security-policies/<security-policy-id>
PUT /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>

Get rule statistics


Get statistics of a rule.
- no enforcement point path specified: Stats will be evaluated on each enforcement
point.
- {enforcement_point_path}: Stats are evaluated only on the given enforcement point.
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>/statistics
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>/statistics

Get security policy statistics


Get statistics of a security policy.
- no enforcement point path specified: Stats will be evaluated on each enforcement
point.
- {enforcement_point_path}: Stats are evaluated only on the given enforcement point.
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/statistics
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies/<security-policy-id>/statistics

List Endpoint policies


List all Endpoint policies across all domains ordered by precedence.
GET /policy/api/v1/infra/domains/endpoint-policies

List Firewall Flood Protection Profile Binding Maps for all domains


API will list all Firewall Flood Protection Profile Binding Maps across all domains.
This API returns the binding maps order by the sequence number.
GET /policy/api/v1/infra/domains/firewall-flood-protection-profile-binding-maps

List Firewall Session Timer Profile Binding Maps for all domains


API will list all Firewall Session Timer Profile Binding Maps across all domains.
This API returns the binding maps order by the sequence number.
GET /policy/api/v1/global-infra/domains/firewall-session-timer-profile-binding-maps
GET /policy/api/v1/infra/domains/firewall-session-timer-profile-binding-maps

List redirection policies


List all redirection policies across all domains ordered by precedence.
GET /policy/api/v1/infra/domains/redirection-policies

List policy drafts


List policy drafts.
GET /policy/api/v1/infra/drafts

Delete a manual draft


Delete a manual draft.
DELETE /policy/api/v1/infra/drafts/<draft-id>

Read draft


Read a draft for a given draft identifier.
GET /policy/api/v1/infra/drafts/<draft-id>

Patch a manual draft


Create a new manual draft if the specified draft id does not correspond
to an existing draft. Update the manual draft otherwise.
Auto draft can not be updated.
PATCH /policy/api/v1/infra/drafts/<draft-id>

Publish a draft


Read a draft and publish it by applying changes onto current configuration.
If there are additional changes on top of draft configuration, pass it as a
request body, in form of Infra object. Otherwise, if there are no additional
changes, then pass empty Infra object as a request body.
POST /policy/api/v1/infra/drafts/<draft-id>?action=publish

Create or update a manual draft


Create a new manual draft if the specified draft id does not correspond
to an existing draft. Update the manual draft otherwise.
Auto draft can not be updated.
PUT /policy/api/v1/infra/drafts/<draft-id>

Get an aggregated configuration for the draft


Get an aggregated configuration that will get applied onto current
configuration during publish of this draft.
The response is a hierarchical payload containing the aggregated
configuration differences from the latest auto draft till the specified draft.
GET /policy/api/v1/infra/drafts/<draft-id>/aggregated

Get paginated aggregated configuration for the draft


Get a paginated aggregated configuration of a given draft. This aggregated
configuration is the differnece between the current published firewall
configuration and a firewall configuration stored in a given draft.
For an initial API call, if request_id is present in a response, then this is
a paginated aggregated configuration of a given draft, containing all the
security policies from the aggregated configuration.
Using this request_id, more granular aggregated configuration, at security
policy level, can be fetched from subsequent API calls.
Absence of request_id suggests that whole aggregated configuration has been
returned as a response to initial API call, as the size of aggregated
configuration is not big enough to need pagination.
GET /policy/api/v1/infra/drafts/<draft-id>/aggregated_with_pagination

Get a preview of a configuration after publish of a draft


Get a preview of a configuration which will be present after publish of
a specified draft. The response essentially is a hierarchical payload
containing the configuration, which will be in active after a specified
draft gets published onto current configuration.
GET /policy/api/v1/infra/drafts/<draft-id>/complete

Test a directory domain event log server connectivity


This API tests a event log server connectivity before the actual domain or event log server is configured. If the connectivity is good, the response will be HTTP status 200. Otherwise the response will be HTTP status 200 and a corresponding error message will be returned.
POST /policy/api/v1/infra/firewall-identity-store-event-log-servers/status

Test a directory domain LDAP server connectivity


This API tests a LDAP server connectivity before the actual domain or LDAP server is configured. If the connectivity is good, the response will be HTTP status 200. Otherwise the response will be HTTP status 500 and corresponding error message will be returned.
POST /policy/api/v1/infra/firewall-identity-store-ldap-server

Scan the size of a directory domain


This call scans the size of a directory domain. It may be very | expensive to run this call in some AD domain deployments. Please | use it with caution.
POST /policy/api/v1/infra/firewall-identity-store-size

List all firewall identity stores


List all firewall identity stores
GET /policy/api/v1/infra/firewall-identity-stores

Fetch all organization units for a LDAP server.


POST /policy/api/v1/infra/firewall-identity-stores-org-units

Delete firewall identity store


If the firewall identity store is removed, it will stop the identity
store synchronization. User will not be able to define new IDFW rules
DELETE /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>

Read firewall identity store


Return a firewall identity store based on the store identifier
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>

Create or update a firewall identity store


If a firewall identity store with the firewall-identity-store-id
is not already present, create a new firewall identity store. If it
already exists, update the firewall identity store with specified
attributes.
PATCH /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>

Invoke full sync or delta sync for a specific domain, with additional delay in seconds if needed. Stop sync will try to stop any pending sync if any to return to idle state.


POST /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>

Create or update a firewall identity store


If a firewall identity store with the firewall-identity-store-id
is not already present, create a new firewall identity store. If it
already exists, replace the firewall identity store instance with
the new object.
PUT /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>

Delete a Event Log server for Firewall Identity store


DELETE /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/event-log-servers/<event-log-server-id>

Get a specific Event Log server for a given Firewall Identity store


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/event-log-servers/<event-log-server-id>

Update a event log server for Firewall Identity store


PUT /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/event-log-servers/<event-log-server-id>

Search for directory groups within a domain based on the substring of a distinguished name. (e.g. CN=User,DC=acme,DC=com) The search filter pattern can optionally support multiple (up to 100 maximum) search pattern separated by '|' (url encoded %7C). In this case, the search results will be returned as the union of all matching criteria. (e.g. CN=Ann,CN=Users,DC=acme,DC=com|CN=Bob,CN=Users,DC=acme,DC=com)


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/groups

List members of a directory group


A member group could be either direct member of the group specified by group_id or nested member of it. Both direct member groups and nested member groups are returned. Directory group member sync must be enabled to get the correct results.
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/groups/<group-id>/member-groups

List all configured domain LDAP servers


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers

Delete a LDAP server for Firewall Identity store


DELETE /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>

Get a specific LDAP server for a given Firewall Identity store


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>

Create a LDAP server for Firewall Identity store


More than one LDAP server can be created and only one LDAP
server is used to synchronize directory objects. If more
than one LDAP server is configured, NSX will try all the
servers until it is able to successfully connect to one.
PATCH /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>

Test a LDAP server connection for directory domain


The API tests a LDAP server connection for an already configured domain. If the connection is successful, the response will be HTTP status 200. Otherwise the response will be HTTP status 500 and corresponding error message will be returned.
POST /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>

Update a LDAP server for Firewall Identity store


PUT /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>

Fetch all organization units for a Firewall Identity Store.


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/org-units

Get Firewall identity store sync statistics for the given identifier


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/sync-stats

Get PolicyFirewallSchedulers


Get all PolicyFirewallSchedulers
GET /policy/api/v1/infra/firewall-schedulers

Delete Policy Firewall Scheduler


Deletes the specified PolicyFirewallScheduler. If scheduler
is consumed in a security policy, it won't get deleted.
DELETE /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>

Get PolicyFirewallScheduler


Get a PolicyFirewallScheduler by id
GET /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>

Create or Update PolicyFirewallScheduler


Creates/Updates a PolicyFirewallScheduler, which can be set at security
policy. Note that at least one property out of "days", "start_date",
"time_interval", "end_date" is required if "recurring" field is true. Also
"start_time" and "end_time" should not be present. And if "recurring"
field is false then "start_date" and "end_date" is mandatory, "start_time"
and "end_time" is optional. Also the fields "days" and "time_interval"
should not be present.
PATCH /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>

Create or Update PolicyFirewallScheduler


Updates a PolicyFirewallScheduler, which can be set at security policy.
Note that at least one property out of "days", "start_date",
"time_interval", "end_date" is required if "recurring" field is true. Also
"start_time" and "end_time" should not be present. And if "recurring"
field is false then "start_date" and "end_date" is mandatory, "start_time"
and "end_time" is optional. Also the fields "days" and "time_interval"
should not be present.
PUT /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>

List Firewall Session Timer Profiles


API will list all Firewall Session Timer Profiles
GET /policy/api/v1/global-infra/firewall-session-timer-profiles
GET /policy/api/v1/infra/firewall-session-timer-profiles

Delete Firewall Session Timer Profile


API will delete Firewall Session Timer Profile
DELETE /policy/api/v1/global-infra/firewall-session-timer-profiles/<firewall-session-timer-profile-id>
DELETE /policy/api/v1/infra/firewall-session-timer-profiles/<firewall-session-timer-profile-id>

Get Firewall Session Timer Profile


API will get Firewall Session Timer Profile
GET /policy/api/v1/global-infra/firewall-session-timer-profiles/<firewall-session-timer-profile-id>
GET /policy/api/v1/infra/firewall-session-timer-profiles/<firewall-session-timer-profile-id>

Create or update Firewall Session Timer Profile


API will create/update Firewall Session Timer Profile
PATCH /policy/api/v1/global-infra/firewall-session-timer-profiles/<firewall-session-timer-profile-id>
PATCH /policy/api/v1/infra/firewall-session-timer-profiles/<firewall-session-timer-profile-id>

Update Firewall Session Timer Profile


API will update Firewall Session Timer Profile
PUT /policy/api/v1/global-infra/firewall-session-timer-profiles/<firewall-session-timer-profile-id>
PUT /policy/api/v1/infra/firewall-session-timer-profiles/<firewall-session-timer-profile-id>

Get policies filtered based on the given criteria


Get the list of policies filtered based on the given criteria.
GET /policy/api/v1/global-infra/firewall/policies
GET /policy/api/v1/infra/firewall/policies

Get rules filtered based on the given criteria


Get the list of rules of given parent path of policy/section, filtered
based on the given criteria.
Parent path is mandatory.
GET /policy/api/v1/global-infra/firewall/rules
GET /policy/api/v1/infra/firewall/rules

List Flood Protection Profiles


API will list all Flood Protection Profiles
GET /policy/api/v1/infra/flood-protection-profiles
GET /policy/api/v1/global-infra/flood-protection-profiles

Delete Flood Protection Profile


API will delete Flood Protection Profile
DELETE /policy/api/v1/infra/flood-protection-profiles/<flood-protection-profile-id>
DELETE /policy/api/v1/global-infra/flood-protection-profiles/<flood-protection-profile-id>

Get Flood Protection Profile


API will get Flood Protection Profile
GET /policy/api/v1/infra/flood-protection-profiles/<flood-protection-profile-id>
GET /policy/api/v1/global-infra/flood-protection-profiles/<flood-protection-profile-id>

Create or update Flood Protection Profile


API will create/update Flood Protection Profile
PATCH /policy/api/v1/infra/flood-protection-profiles/<flood-protection-profile-id>
PATCH /policy/api/v1/global-infra/flood-protection-profiles/<flood-protection-profile-id>

Update Firewall Flood Protection Profile


API will update Firewall Flood Protection Profile
PUT /policy/api/v1/infra/flood-protection-profiles/<flood-protection-profile-id>
PUT /policy/api/v1/global-infra/flood-protection-profiles/<flood-protection-profile-id>

List Flood Protection Profiles


API will list all Flood Protection Profiles bindings.
GET /policy/api/v1/infra/flood-protection-profiles/<flood-protection-profile-id>/bindings
GET /policy/api/v1/global-infra/flood-protection-profiles/<flood-protection-profile-id>/bindings

Read partner services


Read all the partner services available for service insertion
GET /policy/api/v1/infra/partner-services

Read partner service identified by provided name


Read the specific partner service identified by provided name.
GET /policy/api/v1/infra/partner-services/<service-name>

List TLS Config Profiles


API will list all TLS Config Profiles
GET /policy/api/v1/infra/security/tls-inspection-config-profiles (Experimental)
GET /policy/api/v1/global-infra/security/tls-inspection-config-profiles (Experimental)

Delete TLS Config Profile


API will delete TLS Config Profile
DELETE /policy/api/v1/infra/security/tls-inspection-config-profiles/<tls-inspection-config-profile> (Experimental)
DELETE /policy/api/v1/global-infra/security/tls-inspection-config-profiles/<tls-inspection-config-profile> (Experimental)

Get TLS Config Profile


API will get TLS Config Profile
GET /policy/api/v1/infra/security/tls-inspection-config-profiles/<tls-inspection-config-profile> (Experimental)
GET /policy/api/v1/global-infra/security/tls-inspection-config-profiles/<tls-inspection-config-profile> (Experimental)

Create or update TLS Config Profile


API will create/update TLS Config Profile
PATCH /policy/api/v1/infra/security/tls-inspection-config-profiles/<tls-inspection-config-profile> (Experimental)
PATCH /policy/api/v1/global-infra/security/tls-inspection-config-profiles/<tls-inspection-config-profile> (Experimental)

Update TLS Config Profile


API will update TLS Config Profile
PUT /policy/api/v1/infra/security/tls-inspection-config-profiles/<tls-inspection-config-profile> (Experimental)
PUT /policy/api/v1/global-infra/security/tls-inspection-config-profiles/<tls-inspection-config-profile> (Experimental)

List service chains


List all the service chains available for service insertion
GET /policy/api/v1/infra/service-chains

Delete Service chain


This API can be user to delete service chain with given service-chain-id.
DELETE /policy/api/v1/infra/service-chains/<service-chain-id>

Read service chain


This API can be used to read service chain with given service-chain-id.
GET /policy/api/v1/infra/service-chains/<service-chain-id>

Create service chain


Create Service chain representing the sequence in which 3rd party
services must be consumed.
PATCH /policy/api/v1/infra/service-chains/<service-chain-id>

Create or update service chain


Create or update Service chain representing the sequence in which 3rd party
services must be consumed.
PUT /policy/api/v1/infra/service-chains/<service-chain-id>

Read service paths for a given service chain


This API can be used to read service paths for a given service-chain-id.
GET /policy/api/v1/infra/service-chains/<service-chain-id>/service-paths

List service references


List all the partner service references available for service insertion
GET /policy/api/v1/infra/service-references

Delete Service Reference


This API can be used to delete a service reference with the given service-reference-id.
DELETE /policy/api/v1/infra/service-references/<service-reference-id>

Read service reference


This API can be used to read service reference with the given service-reference-id.
GET /policy/api/v1/infra/service-references/<service-reference-id>

Create service reference


Create Service Reference representing the intent to consume a given 3rd party
service.
PATCH /policy/api/v1/infra/service-references/<service-reference-id>

Create service reference


Create Service Reference representing the intent to consume a given 3rd party
service.
PUT /policy/api/v1/infra/service-references/<service-reference-id>

List service profiles


List all the service profiles available for given service reference
GET /policy/api/v1/infra/service-references/<service-reference-id>/service-profiles

Delete Service profile


This API can be used to delete service profile with given service-profile-id
DELETE /policy/api/v1/infra/service-references/<service-reference-id>/service-profiles/<service-profile-id>

Read service profile


This API can be used to read service profile with given service-profile-id
GET /policy/api/v1/infra/service-references/<service-reference-id>/service-profiles/<service-profile-id>

Create service profile


Create Service profile to specify vendor template attri- butes for a given 3rd party service.
PATCH /policy/api/v1/infra/service-references/<service-reference-id>/service-profiles/<service-profile-id>

Create or update service profile


Create or update Service profile to specify vendor temp- late attributes for a given 3rd party service.
PUT /policy/api/v1/infra/service-references/<service-reference-id>/service-profiles/<service-profile-id>

Get Groups used in Redirection rules for a given Service Profile.


List of Groups used in Redirection rules for a given Service Profile.
GET /policy/api/v1/infra/service-references/<service-reference-id>/service-profiles/<service-profile-id>/group-associations

List all service chain mappings for given service profile.


List all service chain mappings in the system for the given service profile.
If no explicit enforcement point is provided in the request, will return for
default. Else, will return for specified points.
GET /policy/api/v1/infra/service-references/<service-reference-id>/service-profiles/<service-profile-id>/service-chain-mappings

List Session Timer Profiles


API will list all Session Timer Profiles bindings.
GET /policy/api/v1/infra/session-timer-profiles/<session-timer-profile-id>/bindings
GET /policy/api/v1/global-infra/session-timer-profiles/<session-timer-profile-id>/bindings

List Firewall CPU Memory Thresholds Profile Binding Maps


API will list all Firewall CPU Memory Thresholds Profile Binding Maps.
GET /policy/api/v1/infra/settings/firewall/cpu-mem-thresholds-profile-binding-maps
GET /policy/api/v1/global-infra/settings/firewall/cpu-mem-thresholds-profile-binding-maps

Delete Firewall CPU Memory Thresholds Profile Binding


API will delete Firewall CPU Memory Thresholds Profile Binding.
DELETE /policy/api/v1/infra/settings/firewall/cpu-mem-thresholds-profile-binding-maps/<cpu-mem-thresholds-profile-binding-map-id>

Get Firewall CPU Memory Thresholds Profile Binding Map


API will get Firewall CPU Memory Thresholds Profile Binding Map.
GET /policy/api/v1/infra/settings/firewall/cpu-mem-thresholds-profile-binding-maps/<cpu-mem-thresholds-profile-binding-map-id>

Create or update Firewall CPU Memory Thresholds Profile Binding Map


API will create or update Firewall CPU Memory Thresholds Profile binding map.
PATCH /policy/api/v1/infra/settings/firewall/cpu-mem-thresholds-profile-binding-maps/<cpu-mem-thresholds-profile-binding-map-id>

Update Firewall CPU Memory Thresholds Profile Binding Map


API will update Firewall CPU Memory Thresholds Profile Binding Map.
PUT /policy/api/v1/infra/settings/firewall/cpu-mem-thresholds-profile-binding-maps/<cpu-mem-thresholds-profile-binding-map-id>

List all CPU and memory thresholds profiles


List all CPU and memory thresholds profiles.
GET /policy/api/v1/global-infra/settings/firewall/cpu-mem-thresholds-profiles
GET /policy/api/v1/infra/settings/firewall/cpu-mem-thresholds-profiles

Delete CPU and memory thresholds profile


Delete CPU and memory thresholds profile.
DELETE /policy/api/v1/infra/settings/firewall/cpu-mem-thresholds-profiles/<profile-id>
DELETE /policy/api/v1/global-infra/settings/firewall/cpu-mem-thresholds-profiles/<profile-id>

Read the CPU and memory thresholds profile


Read the CPU and memory thresholds profile.
GET /policy/api/v1/infra/settings/firewall/cpu-mem-thresholds-profiles/<profile-id>
GET /policy/api/v1/global-infra/settings/firewall/cpu-mem-thresholds-profiles/<profile-id>

Create or update CPU and memory thresholds profile


Create or update CPU and memory thresholds profile.
PATCH /policy/api/v1/infra/settings/firewall/cpu-mem-thresholds-profiles/<profile-id>
PATCH /policy/api/v1/global-infra/settings/firewall/cpu-mem-thresholds-profiles/<profile-id>

Create or update CPU and memory thresholds profile


Create or update CPU and memory thresholds profile.
PUT /policy/api/v1/infra/settings/firewall/cpu-mem-thresholds-profiles/<profile-id>
PUT /policy/api/v1/global-infra/settings/firewall/cpu-mem-thresholds-profiles/<profile-id>

Download exported file


Download the exported file generated from the last export task.
GET /policy/api/v1/infra/settings/firewall/export?action=download

Get the information of export task


Get the information of the latest export task.
GET /policy/api/v1/infra/settings/firewall/export

Cancel a running export task


This operation cancels an export task. Task needs to be in running state.
POST /policy/api/v1/infra/settings/firewall/export?action=cancel

Invoke export task


Invoke export task. There can be only one export task run at any point of
time. Hence invocation of another export task will be discarded, when there
exist an already running export task.
Exported configuration will be in a CSV format. This CSV file will be zipped
into a ZIP file, that can be downloaded after the completion of export task.
POST /policy/api/v1/infra/settings/firewall/export

Get the list of gateway firewall dependent services


Get the list of gateway firewall dependent services
GET /policy/api/v1/infra/settings/firewall/gateway/dependent-services

List compute cluster idfw Configuration


API will list all compute cluster wise identity firewall configuration
GET /policy/api/v1/infra/settings/firewall/idfw/cluster

Delete compute cluster idfw configuration


Delete compute cluster identity firewall configuration.
DELETE /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>

Read compute cluster idfw configuration


Read compute cluster identity firewall configuration
GET /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>

Patch compute cluster idfw configuration


Patch compute cluster identity firewall configuration.
PATCH /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>

Create or update compute cluster idfw configuration


Update the compute cluster idfw configuration
PUT /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>

Get IDFW status for a Compute Collection


Get IDFW status for a specific Compute Collection
GET /policy/api/v1/infra/settings/firewall/idfw/compute-collections/<compute-collection-id>/status

List IDFW status for Transport Nodes in a Compute Collection


This API will list all transport node and statuses based on idfw enabled
compute collection ID.
GET /policy/api/v1/infra/settings/firewall/idfw/compute-collections/<compute-collection-id>/transport-nodes/status

Get IDFW status for all Compute Collections


Get IDFW status for all Compute Collections
GET /policy/api/v1/infra/settings/firewall/idfw/compute-collections/status

Get all IDFW Group VM details for a given Group


Get all Identity Firewall Group VM details for a given Group.
GET /policy/api/v1/infra/settings/firewall/idfw/group-vm-details

Read idfw configuration for standalone host


Read identity firewall configuration for standalone host
GET /policy/api/v1/infra/settings/firewall/idfw/standalone-host-switch-setting

Patch idfw configuration for standalone host


Patch identity firewall configuration for standalone host
PATCH /policy/api/v1/infra/settings/firewall/idfw/standalone-host-switch-setting

Create or update idfw configuration for standalone host


Update the idfw configuration for standalone host
PUT /policy/api/v1/infra/settings/firewall/idfw/standalone-host-switch-setting

Get IDFW system statistics data


It will get IDFW system statistics data.
GET /policy/api/v1/infra/settings/firewall/idfw/system-stats

List IDFW status of VMs by transport node id


This API will list all VMs and statuses based on transport node ID of idfw
enabled compute collection.
GET /policy/api/v1/infra/settings/firewall/idfw/transport-nodes/<transport-node-id>/vms/status

Get user session data


It will get user session data.
GET /policy/api/v1/infra/settings/firewall/idfw/user-session-data

Get IDFW user login events for a given user


It will get IDFW user login events for a given user.
GET /policy/api/v1/infra/settings/firewall/idfw/user-stats/<user-id>

Get IDFW user login events for a given VM


It will get IDFW user login events for a given VM
(all active plus up to 5 most recent archived entries).
GET /policy/api/v1/infra/settings/firewall/idfw/vm-stats/<vm-id>

Get the information of import task


Get the information of the latest import task.
GET /policy/api/v1/infra/settings/firewall/import

Invoke import task


Invoke import task. There can be only one import task run at any point of
time. Hence invocation of another import task will be discarded, when there
exist an already running import task.
POST /policy/api/v1/infra/settings/firewall/import

Cancel a running import task


This operation cancels an import task. Task needs to be in running state.
POST /policy/api/v1/infra/settings/firewall/import?action=cancel

Get dfw firewall configuration


Get the current dfw firewall configurations.
GET /policy/api/v1/infra/settings/firewall/security

Update dfw firewall configuration


Update dfw firewall related configurations.
PATCH /policy/api/v1/infra/settings/firewall/security

Update dfw firewall configuration


Update dfw firewall related configurations.
PUT /policy/api/v1/infra/settings/firewall/security

Get the list of distributed firewall dependent services


Get the list of distributed firewall dependent services
GET /policy/api/v1/infra/settings/firewall/security/dependent-services

Read security policy exclude list including system and user excluded members


Read security policy exclude list including system and user excluded members.
GET /policy/api/v1/infra/settings/firewall/security/exclude-list?system_owned=true

Read security policy exclude list


Read exclude list for firewall
GET /policy/api/v1/infra/settings/firewall/security/exclude-list

Patch exclusion list for security policy


Patch exclusion list for security policy.
PATCH /policy/api/v1/infra/settings/firewall/security/exclude-list

Filter the firewall exclude list


Filter the firewall exclude list by the given object, to check whether
the object is a member of this exclude list.
POST /policy/api/v1/infra/settings/firewall/security/exclude-list?action=filter

Create or update exclusion list for security policy


Update the exclusion list for security policy
PUT /policy/api/v1/infra/settings/firewall/security/exclude-list

Get IDS system settings


Intrusion detection system settings.
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services

Patch Intrusion detection system settings


Intrusion detection system settings.
PATCH /policy/api/v1/infra/settings/firewall/security/intrusion-services

Update Intrusion detection system settings


Intrusion detection system settings.
PUT /policy/api/v1/infra/settings/firewall/security/intrusion-services

Get the list of the IPs affected for that signature for intrusion events detected on gateway


Get the list of IP addresses affected pertaining to a specific
signature for intrusion events detected on gateway.
POST /policy/api/v1/infra/settings/firewall/security/intrusion-services/affected-ips

Get the list of the users affected for that signature


Get the list of the users affected pertaining to a specific
signature.
POST /policy/api/v1/infra/settings/firewall/security/intrusion-services/affected-users

Get the list of the VMs affected for that signature


Get the list of the VMs affected pertaining to a specific
signature.
POST /policy/api/v1/infra/settings/firewall/security/intrusion-services/affected-vms

List IDS cluster configs


List intrusion detection system cluster configs.
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/cluster-configs

Read IDS cluster config.


Read intrusion detection system cluster config
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/cluster-configs/<cluster-config-id>

Patch IDS config on cluster level


Patch intrusion detection system on cluster level.
PATCH /policy/api/v1/infra/settings/firewall/security/intrusion-services/cluster-configs/<cluster-config-id>

create or update IDS config on cluster level


Update intrusion detection system on cluster level.
PUT /policy/api/v1/infra/settings/firewall/security/intrusion-services/cluster-configs/<cluster-config-id>

List Global IDS signatures


List global intrusion detection signatures.
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/global-signatures

Delete Global IDS signature


Delete global intrusion detection signature.
DELETE /policy/api/v1/infra/settings/firewall/security/intrusion-services/global-signatures/<signature-id>

Get Global IDS signature.


Read global intrusion detection signature
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/global-signatures/<signature-id>

Patch Global IDS Signature


Patch global intrusion detection system signature.
PATCH /policy/api/v1/infra/settings/firewall/security/intrusion-services/global-signatures/<signature-id>

create or update Global IDS Signature


Update global intrusion detection signature.
PUT /policy/api/v1/infra/settings/firewall/security/intrusion-services/global-signatures/<signature-id>

Get the list of the IDS events that are detected, grouped by signature id.


Get the list of the IDS events that are detected with the total number of
intrusions detected, their severity and the time they occurred,
grouped by signature id.
POST /policy/api/v1/infra/settings/firewall/security/intrusion-services/ids-events

Read IDS config


Read intrusion detection system config of standalone hosts.
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/ids-standalone-host-config

Patch IDS configuration


Patch intrusion detection system configuration on standalone hosts.
PATCH /policy/api/v1/infra/settings/firewall/security/intrusion-services/ids-standalone-host-config

Create or update IDS configuration


Update intrusion detection system configuration on standalone hosts.
PUT /policy/api/v1/infra/settings/firewall/security/intrusion-services/ids-standalone-host-config

Get the summary of the intrusions that were detected.


Get the summary of all the intrusions that are detected grouped by signature
with details including signature name, id, severity, attack type, protocol,
first and recent occurence, and affected users and VMs.
The following filter criteria are supported: attack target, attack type,
gateway name, IP address, product affected, signature ID and VM name.
POST /policy/api/v1/infra/settings/firewall/security/intrusion-services/ids-summary

List IDS profiles


List intrusion detection profiles.
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles

Delete IDS profile


Delete intrusion detection profile.
DELETE /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id>

Get IDS profile.


Read intrusion detection profile
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id>

Patch IDS profile


Patch intrusion detection system profile.
PATCH /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id>

create or update IDS profile


Update intrusion detection profile.
PUT /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id>

Get IDS profile signatures.


Get all the IDS signatures attached to the Profile.
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/profiles/<profile-id>/effective-signatures (Experimental)

Get IDS signature versions


Intrusion detection system signature versions.
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/signature-versions

Change the state of IDS Signature Version


Make this IDS Signature version as ACTIVE version and other versions as NOTACTIVE.
POST /policy/api/v1/infra/settings/firewall/security/intrusion-services/signature-versions?action=make_active_version

List IDS signatures


List intrusion detection system signatures.
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/signature-versions/<version-id>/signatures

Download and update IDS signatures


Trigger the process to Download and update the IDS signatures manually.
POST /policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures?action=update_signatures

Upload IDS signatures bundle


Upload IDS signatures bundle
POST /policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures?action=upload_signatures

Get IDS signature status


Intrusion detection system signatures status.
GET /policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures/status

Reset IDS/IPS rule statistics


Sets IDS/IPS rule statistics counter to zero.
- no enforcement point path specified: Reset of stats will be executed for
each enforcement point.
- {enforcement_point_path}: Reset of stats will be executed only for the given
enforcement point.
POST /policy/api/v1/infra/settings/firewall/security/intrusion-services/stats?action=reset

List Malware Prevention profiles


List Malware Prevention profiles.
GET /policy/api/v1/infra/settings/firewall/security/malware-prevention-service/profiles

Delete Malware Prevention profile


Delete Malware Prevention profile.
DELETE /policy/api/v1/infra/settings/firewall/security/malware-prevention-service/profiles/<profile-id>

Get Malware Prevention profile.


Read Malware Prevention profile
GET /policy/api/v1/infra/settings/firewall/security/malware-prevention-service/profiles/<profile-id>

Patch Malware Prevention profile


Patch Malware Prevention profile.
PATCH /policy/api/v1/infra/settings/firewall/security/malware-prevention-service/profiles/<profile-id>

Patch Malware Prevention profile


Patch Malware Prevention profile.
PUT /policy/api/v1/infra/settings/firewall/security/malware-prevention-service/profiles/<profile-id>

List Malware Prevention signatures


List Malware Prevention signatures.
GET /policy/api/v1/infra/settings/firewall/security/malware-prevention-service/signatures

Reset firewall rule statistics


Sets firewall rule statistics counter to zero. This operation is supported
for given category, for example: DFW i.e. for all layer3 firewall
(transport nodes only) rules or EDGE i.e. for all layer3 edge firewall
(edge nodes only) rules.
- no enforcement point path specified:
On global manager, it is mandatory to give an enforcement point path.
On local manager, reset of stats will be executed for each enforcement point.
- {enforcement_point_path}: Reset of stats will be executed only for the given enforcement point.
POST /policy/api/v1/infra/settings/firewall/stats?action=reset
POST /policy/api/v1/global-infra/settings/firewall/stats?action=reset

Additional API to read service insertion exclude list without filtering out the system owned members


Read exclude list for service insertion
GET /policy/api/v1/infra/settings/service-insertion/security/exclude-list?system_owned=true

Default API to read service insertion exclude list with system owned members filtered out


Read exclude list for service insertion
GET /policy/api/v1/infra/settings/service-insertion/security/exclude-list

Patch service insertion exclusion list for security policy


Patch service insertion exclusion list for security policy.
PATCH /policy/api/v1/infra/settings/service-insertion/security/exclude-list

Update service insertion exclusion list


Update the exclusion list for service insertion policy
PUT /policy/api/v1/infra/settings/service-insertion/security/exclude-list

Get service insertion configuration status


Get the current service insertion status configuration.
GET /policy/api/v1/infra/settings/service-insertion/security/status

Update service insertion status configuration


Update service insertion status.
PATCH /policy/api/v1/infra/settings/service-insertion/security/status

Update service insertion status configuration


Update service insertion status.
PUT /policy/api/v1/infra/settings/service-insertion/security/status

Delete FqdnAnalysisConfig


Delete FqdnAnalysisConfig from the passed edge cluser node.
DELETE /policy/api/v1/infra/sites/<site-id>/enforcement-points/<enforcement-point-id>/edge-clusters/<edge-cluster-id>/fqdn-analysis-config

Get FqdnAnalysisConfig


Gets a FqdnAnalysisConfig. This returns the details of the
config like whether the FQDN Analysis is enabled or disabled for
the given edge cluster.
GET /policy/api/v1/infra/sites/<site-id>/enforcement-points/<enforcement-point-id>/edge-clusters/<edge-cluster-id>/fqdn-analysis-config

Create or Update FqdnAnalysisConfig


Creates/Updates a FqdnAnalysisConfig object. If FqdnAnalysisConfig object does not exists for the passed edge-cluster node,
create a new FqdnAnalysisConfig object. If it already exists, patch it.
PATCH /policy/api/v1/infra/sites/<site-id>/enforcement-points/<enforcement-point-id>/edge-clusters/<edge-cluster-id>/fqdn-analysis-config

Create or Update FqdnAnalysisConfig


Creates/Updates FqdnAnalysisConfig Object for
the given edge cluster. If FqdnAnalysisConfig object is not already present, creates it.
If it already exists, replace with this object.
PUT /policy/api/v1/infra/sites/<site-id>/enforcement-points/<enforcement-point-id>/edge-clusters/<edge-cluster-id>/fqdn-analysis-config

Delete PolicyUrlCategorizationConfig


Delete PolicyUrlCategorizationConfig. If deleted, the URL categorization
will be disabled for that edge cluster.
DELETE /policy/api/v1/infra/sites/<site-id>/enforcement-points/<enforcement-point-id>/edge-clusters/<edge-cluster-id>/url-categorization-configs/<url-categorization-config-id>

Get PolicyUrlCategorizationConfig


Gets a PolicyUrlCategorizationConfig. This returns the details of the
config like whether the URL categorization is enabled or disabled, the id
of the context profiles which are used to filter the categories, and the
update frequency of the data from the cloud.
GET /policy/api/v1/infra/sites/<site-id>/enforcement-points/<enforcement-point-id>/edge-clusters/<edge-cluster-id>/url-categorization-configs/<url-categorization-config-id>

Create or Update PolicyUrlCategorizationConfig


Creates/Updates a PolicyUrlCategorizationConfig. Creating or updating the
PolicyUrlCategorizationConfig will enable or disable URL categorization for
the given edge cluster. If the context_profiles field is empty, the edge
cluster will detect all the categories of URLs. If context_profiles field
has any context profiles, the edge cluster will detect only the categories
listed within those context profiles. The context profiles should have
attribute type URL_CATEGORY. The update_frequency specifies how frequently
in minutes, the edge cluster will get updates about the URL data from the
URL categorization cloud service. If the update_frequency is not specified,
the default update frequency will be 30 min.
PATCH /policy/api/v1/infra/sites/<site-id>/enforcement-points/<enforcement-point-id>/edge-clusters/<edge-cluster-id>/url-categorization-configs/<url-categorization-config-id>

Create or Update PolicyUrlCategorizationConfig


Creates/Updates a PolicyUrlCategorizationConfig. Creating or updating the
PolicyUrlCategorizationConfig will enable or disable URL categorization for
the given edge cluster. If the context_profiles field is empty, the edge
cluster will detect all the categories of URLs. If context_profiles field
has any context profiles, the edge cluster will detect only the categories
listed within those context profiles. The context profiles should have
attribute type URL_CATEGORY. The update_frequency specifies how frequently
in minutes, the edge cluster will get updates about the URL data from the
URL categorization cloud service. If the update_frequency is not specified,
the default update frequency will be 30 min.
PUT /policy/api/v1/infra/sites/<site-id>/enforcement-points/<enforcement-point-id>/edge-clusters/<edge-cluster-id>/url-categorization-configs/<url-categorization-config-id>

Get list of gateway policies with rules that belong to the specific Tier-0 logical router.


Get filtered view of gateway rules associated
with the Tier-0. The gateay policies are returned in the
order of category and precedence.
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/gateway-firewall
GET /policy/api/v1/global-infra/tier-0s/<tier-0-id>/gateway-firewall

Read all BYOD service instance objects under a tier-0


Read all BYOD service instance objects under a tier-0
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/byod-service-instances

Delete BYOD policy service instance


Delete BYOD policy service instance
DELETE /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>

Read BYOD service instance


Read BYOD service instance
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>

Create BYOD service instance


Create BYOD Service Instance which represent instance of service definition created on manager.
PATCH /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>

Create BYOD service instance


Create BYOD Service Instance which represent instance of service definition created on manager.
PUT /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>

List all service instance endpoint


List all service instance endpoint
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>/service-instance-endpoints

Delete service instance endpoint


Delete service instance endpoint
DELETE /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>/service-instance-endpoints/<service-instance-endpoint-id>

Read service instance endpoint


Read service instance endpoint
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>/service-instance-endpoints/<service-instance-endpoint-id>

Create service instance endpoint


Create Service instance endpoint.
PATCH /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>/service-instance-endpoints/<service-instance-endpoint-id>

Create service instance endpoint


Create service instance endpoint with given request if not exist.
Modification of service instance endpoint is not allowed.
PUT /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>/service-instance-endpoints/<service-instance-endpoint-id>

List all virtual endpoints


List all virtual endpoints
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/endpoints/virtual-endpoints

Delete virtual endpoint


Delete virtual endpoint
DELETE /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/endpoints/virtual-endpoints/<virtual-endpoint-id>

Read virtual endpoint


Read virtual endpoint with given id under given Tier0.
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/endpoints/virtual-endpoints/<virtual-endpoint-id>

Create or update virtual endpoint


Create or update virtual endpoint.
PATCH /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/endpoints/virtual-endpoints/<virtual-endpoint-id>

Create or update virtual endpoint


Create or update virtual endpoint.
PUT /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/endpoints/virtual-endpoints/<virtual-endpoint-id>

Read all service instance objects under a tier-0


Read all service instance objects under a tier-0
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/service-instances

Delete policy service instance


Delete policy service instance
DELETE /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/service-instances/<service-instance-id>

Read service instance


Read service instance
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/service-instances/<service-instance-id>

Create service instance


Create Service Instance.
Please note that, only display_name, description and deployment_spec_name
are allowed to be modified in an exisiting entity. If the deployment spec
name is changed, it will trigger the upgrade operation for the SVMs.
PATCH /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/service-instances/<service-instance-id>

Create service instance


Create service instance.
Please note that, only display_name, description and deployment_spec_name
are allowed to be modified in an exisiting entity. If the deployment spec
name is changed, it will trigger the upgrade operation for the SVMs.
PUT /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/service-instances/<service-instance-id>

Get statistics for all runtimes associated with this PolicyServiceInstance


Get statistics for all data NICs on all runtimes associated with this PolicyServiceInstance.
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-service-id>/service-instances/<service-instance-id>/statistics

Get list of gateway policies with rules that belong to the specific Tier-0 LocalServices.


Get filtered view of Gateway Firewall rules associated
with the Tier-0 Locale Services. The gateway policies are
returned in the order of category and sequence number.
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/locale-services/<locale-services-id>/gateway-firewall
GET /policy/api/v1/global-infra/tier-0s/<tier-0-id>/locale-services/<locale-services-id>/gateway-firewall

Delete security config


Delete security config
DELETE /policy/api/v1/infra/tier-0s/<tier-0-id>/security-config

Read Security Feature


Read Security Feature.
GET /policy/api/v1/infra/tier-0s/<tier-0-id>/security-config

Create or Update security configuration


Create a T0 security configuration if it is not already present,
otherwise update the security onfiguration.
PATCH /policy/api/v1/infra/tier-0s/<tier-0-id>/security-config

Create or Update security configuration


Create or update security configuration.
PUT /policy/api/v1/infra/tier-0s/<tier-0-id>/security-config

Delete Flood Protection Profile Binding for Tier-0 Logical Router


API will delete Flood Protection Profile Binding for Tier-0 Logical Router.
DELETE /policy/api/v1/infra/tier-0s/<tier0-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Get Flood Protection Profile Binding Map for Tier-0 Logical Router


API will get Flood Protection Profile Binding Map for Tier-0 Logical Router.
GET /policy/api/v1/global-infra/tier-0s/<tier0-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>
GET /policy/api/v1/infra/tier-0s/<tier0-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Create or update Flood Protection Profile Binding Map for Tier-0 Logical Router


API will create or update Flood Protection profile binding map for Tier-0 Logical Router.
PATCH /policy/api/v1/infra/tier-0s/<tier0-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Create or update Flood Protection Profile Binding Map for Tier-0 Logical Router


API will create or update Flood Protection profile binding map for Tier-0 Logical Router.
PUT /policy/api/v1/infra/tier-0s/<tier0-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Delete Flood Protection Profile Binding for Tier-0 Logical Router LocaleServices


API will delete Flood Protection Profile Binding for Tier-0 Logical Router LocaleServices.
DELETE /policy/api/v1/infra/tier-0s/<tier0-id>/locale-services/<locale-services-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Get Flood Protection Profile Binding Map for Tier-0 Logical Router LocaleServices


API will get Flood Protection Profile Binding Map for Tier-0 Logical Router LocaleServices.
GET /policy/api/v1/global-infra/tier-0s/<tier0-id>/locale-services/<locale-services-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>
GET /policy/api/v1/infra/tier-0s/<tier0-id>/locale-services/<locale-services-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Create or update Flood Protection Profile Binding Map for Tier-0 Logical Router LocaleServices


API will create or update Flood Protection profile binding map for Tier-0 Logical Router LocaleServices.
PATCH /policy/api/v1/infra/tier-0s/<tier0-id>/locale-services/<locale-services-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Create or update Flood Protection Profile Binding Map for Tier-0 Logical Router LocaleServices


API will create or update Flood Protection profile binding map for Tier-0 Logical Router LocaleServices.
PUT /policy/api/v1/infra/tier-0s/<tier0-id>/locale-services/<locale-services-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Delete Session Timer Profile Binding for Tier-0 Logical Router LocaleServices


API will delete Session Timer Profile Binding for Tier-0 Logical Router LocaleServices.
DELETE /policy/api/v1/infra/tier-0s/<tier0-id>/locale-services/<locale-services-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Get Session Timer Profile Binding Map for Tier-0 Logical Router LocaleServices


API will get Session Timer Profile Binding Map for Tier-0 Logical Router LocaleServices.
GET /policy/api/v1/infra/tier-0s/<tier0-id>/locale-services/<locale-services-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>
GET /policy/api/v1/global-infra/tier-0s/<tier0-id>/locale-services/<locale-services-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Create or update Session Timer Profile Binding Map for Tier-0 Logical Router LocaleServices


API will create or update Session Timer profile binding map for Tier-0 Logical Router LocaleServices.
PATCH /policy/api/v1/infra/tier-0s/<tier0-id>/locale-services/<locale-services-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Create or update Session Timer Profile Binding Map for Tier-0 Logical Router LocaleServices


API will create or update Session Timer profile binding map for Tier-0 Logical Router LocaleServices.
PUT /policy/api/v1/infra/tier-0s/<tier0-id>/locale-services/<locale-services-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Delete Session Timer Profile Binding for Tier-0 Logical Router


API will delete Session Timer Profile Binding for Tier-0 Logical Router.
DELETE /policy/api/v1/infra/tier-0s/<tier0-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Get Session Timer Profile Binding Map for Tier-0 Logical Router


API will get Session Timer Profile Binding Map for Tier-0 Logical Router.
GET /policy/api/v1/infra/tier-0s/<tier0-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>
GET /policy/api/v1/global-infra/tier-0s/<tier0-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Create or update Session Timer Profile Binding Map for Tier-0 Logical Router


API will create or update Session Timer profile binding map for Tier-0 Logical Router.
PATCH /policy/api/v1/infra/tier-0s/<tier0-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Create or update Session Timer Profile Binding Map for Tier-0 Logical Router


API will create or update Session Timer profile binding map for Tier-0 Logical Router.
PUT /policy/api/v1/infra/tier-0s/<tier0-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Get list of gateway policies with rules that belong to the specific Tier-1.


Get filtered view of Gateway Firewall rules associated with the Tier-1.
The gateway policies are returned in the order of category and sequence number.
GET /policy/api/v1/global-infra/tier-1s/<tier-1-id>/gateway-firewall
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/gateway-firewall

Read all Tier1 BYOD service instance objects under a tier-1


Read all Tier1 BYOD service instance objects under a tier-1
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/byod-service-instances

Delete BYOD policy service instance


Delete BYOD policy service instance
DELETE /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>

Read Tier1 BYOD service instance


Read Tier1 BYOD service instance
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>

Create Tier1 BYOD service instance


Create Tier1 BYOD Service Instance which represents instance of service definition created on manager.
PATCH /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>

Create Tier1 BYOD service instance


Create Tier1 BYOD Service Instance which represent instance of service definition created on manager.
PUT /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>

List all Tier1 service instance endpoint


List all Tier1 service instance endpoint
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>/service-instance-endpoints

Delete Tier1 service instance endpoint


Delete Tier1 service instance endpoint
DELETE /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>/service-instance-endpoints/<service-instance-endpoint-id>

Read Tier1 service instance endpoint


Read Tier1 service instance endpoint
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>/service-instance-endpoints/<service-instance-endpoint-id>

Create Tier1 service instance endpoint


Create Tier1 Service instance endpoint.
PATCH /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>/service-instance-endpoints/<service-instance-endpoint-id>

Create Tier1 service instance endpoint


Create Tier1 service instance endpoint with given request if not exist.
Modification of Tier1 service instance endpoint is not allowed.
PUT /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/byod-service-instances/<service-instance-id>/service-instance-endpoints/<service-instance-endpoint-id>

List all virtual endpoints


List all virtual endpoints
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/endpoints/virtual-endpoints

Delete virtual endpoint


Delete virtual endpoint
DELETE /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/endpoints/virtual-endpoints/<virtual-endpoint-id>

Read virtual endpoint


Read virtual endpoint with given id under given Tier1.
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/endpoints/virtual-endpoints/<virtual-endpoint-id>

Create or update virtual endpoint


Create or update virtual endpoint.
PATCH /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/endpoints/virtual-endpoints/<virtual-endpoint-id>

Create or update virtual endpoint


Create or update virtual endpoint.
PUT /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/endpoints/virtual-endpoints/<virtual-endpoint-id>

Read all service instance objects under a tier-1


Read all service instance objects under a tier-1
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/service-instances

Delete Tier1 policy service instance


Delete Tier1 policy service instance
DELETE /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/service-instances/<service-instance-id>

Read Tier1 service instance


Read Tier1 service instance
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/service-instances/<service-instance-id>

Create Tier1 service instance


Create Tier1 Service Instance.
Please note that, only display_name, description and deployment_spec_name
are allowed to be modified in an exisiting entity. If the deployment spec
name is changed, it will trigger the upgrade operation for the SVMs.
PATCH /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/service-instances/<service-instance-id>

Create Tier1 service instance


Create Tier1 service instance.
Please note that, only display_name, description and deployment_spec_name
are allowed to be modified in an exisiting entity. If the deployment spec
name is changed, it will trigger the upgrade operation for the SVMs.
PUT /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/service-instances/<service-instance-id>

Get statistics for all runtimes associated with this Tier1 PolicyServiceInstance


Get statistics for all data NICs on all runtimes associated with this Tier1 PolicyServiceInstance.
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-service-id>/service-instances/<service-instance-id>/statistics

Get list of gateway policies with rules that belong to the specific Tier-1 LocalServices.


Get filtered view of Gateway Firewall rules associated
with the Tier-1 Locale Services. The gateway policies are
returned in the order of category and sequence number.
GET /policy/api/v1/global-infra/tier-1s/<tier-1-id>/locale-services/<locale-services-id>/gateway-firewall
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/locale-services/<locale-services-id>/gateway-firewall

Read Security Feature


Read Security Feature.
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/security-config

Create or Update security configuration


Create a security configuration if it is not already present,
otherwise update the security onfiguration.
PATCH /policy/api/v1/infra/tier-1s/<tier-1-id>/security-config

Create or Update security configuration


Create or update security configuration.
PUT /policy/api/v1/infra/tier-1s/<tier-1-id>/security-config

TLS inspection execution state details for the tier1


TLS inspection execution state details for the tier1
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/tls-inspection-state

TLS inspection execution state fqdn details for the tier1


TLS inspection execution state fqdn details for the tier1
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/tls-inspection-state/fqdns

Get TLS inspection FQDN state


Get TLS inspection FQDN state
GET /policy/api/v1/infra/tier-1s/<tier-1-id>/tls-inspection-state/fqdns/<fqdn-id>

Delete Flood Protection Profile Binding for Tier-1 Logical Router


API will delete Flood Protection Profile Binding for Tier-1 Logical Router.
DELETE /policy/api/v1/infra/tier-1s/<tier1-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Get Flood Protection Profile Binding Map for Tier-1 Logical Router


API will get Flood Protection Profile Binding Map for Tier-1 Logical Router.
GET /policy/api/v1/global-infra/tier-1s/<tier1-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>
GET /policy/api/v1/infra/tier-1s/<tier1-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Create or update Flood Protection Profile Binding Map for Tier-1 Logical Router


API will create or update Flood Protection profile binding map for Tier-1 Logical Router.
PATCH /policy/api/v1/infra/tier-1s/<tier1-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Create or update Flood Protection Profile Binding Map for Tier-1 Logical Router


API will create or update Flood Protection profile binding map for Tier-1 Logical Router.
PUT /policy/api/v1/infra/tier-1s/<tier1-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Delete Flood Protection Profile Binding for Tier-1 Logical Router LocaleServices


API will delete Flood Protection Profile Binding for Tier-1 Logical Router LocaleServices.
DELETE /policy/api/v1/infra/tier-1s/<tier1-id>/locale-services/<locale-services-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Get Flood Protection Profile Binding Map for Tier-1 Logical Router LocaleServices


API will get Flood Protection Profile Binding Map for Tier-1 Logical Router LocaleServices.
GET /policy/api/v1/global-infra/tier-1s/<tier1-id>/locale-services/<locale-services-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>
GET /policy/api/v1/infra/tier-1s/<tier1-id>/locale-services/<locale-services-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Create or update Flood Protection Profile Binding Map for Tier-1 Logical Router LocaleServices


API will create or update Flood Protection profile binding map for Tier-1 Logical Router LocaleServices.
PATCH /policy/api/v1/infra/tier-1s/<tier1-id>/locale-services/<locale-services-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Create or update Flood Protection Profile Binding Map for Tier-1 Logical Router LocaleServices


API will create or update Flood Protection profile binding map for Tier-1 Logical Router LocaleServices.
PUT /policy/api/v1/infra/tier-1s/<tier1-id>/locale-services/<locale-services-id>/flood-protection-profile-bindings/<flood-protection-profile-binding-id>

Delete Session Timer Profile Binding for Tier-1 Logical Router LocaleServices


API will delete Session Timer Profile Binding for Tier-1 Logical Router LocaleServices.
DELETE /policy/api/v1/infra/tier-1s/<tier1-id>/locale-services/<locale-services-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Get Session Timer Profile Binding Map for Tier-1 Logical Router LocaleServices


API will get Session Timer Profile Binding Map for Tier-1 Logical Router LocaleServices.
GET /policy/api/v1/infra/tier-1s/<tier1-id>/locale-services/<locale-services-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>
GET /policy/api/v1/global-infra/tier-1s/<tier1-id>/locale-services/<locale-services-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Create or update Session Timer Profile Binding Map for Tier-1 Logical Router LocaleServices


API will create or update Session Timer profile binding map for Tier-1 Logical Router LocaleServices.
PATCH /policy/api/v1/infra/tier-1s/<tier1-id>/locale-services/<locale-services-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Create or update Session Timer Profile Binding Map for Tier-1 Logical Router LocaleServices


API will create or update Session Timer profile binding map for Tier-1 Logical Router LocaleServices.
PUT /policy/api/v1/infra/tier-1s/<tier1-id>/locale-services/<locale-services-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Delete Session Timer Profile Binding for Tier-1 Logical Router


API will delete Session Timer Profile Binding for Tier-1 Logical Router.
DELETE /policy/api/v1/infra/tier-1s/<tier1-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Get Session Timer Profile Binding Map for Tier-1 Logical Router


API will get Session Timer Profile Binding Map for Tier-1 Logical Router.
GET /policy/api/v1/infra/tier-1s/<tier1-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>
GET /policy/api/v1/global-infra/tier-1s/<tier1-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Create or update Session Timer Profile Binding Map for Tier-1 Logical Router


API will create or update Session Timer profile binding map for Tier-1 Logical Router.
PATCH /policy/api/v1/infra/tier-1s/<tier1-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Create or update Session Timer Profile Binding Map for Tier-1 Logical Router


API will create or update Session Timer profile binding map for Tier-1 Logical Router.
PUT /policy/api/v1/infra/tier-1s/<tier1-id>/session-timer-profile-bindings/<session-timer-profile-binding-id>

Delete TLS Config Profile Binding for Tier-1 Logical Router


API will delete TLS Config Profile Binding for Tier-1 Logical Router.
DELETE /policy/api/v1/infra/tier-1s/<tier1-id>/tls-inspection-config-profile-bindings/<tls-inspection-config-profile-binding-id>

Get TLS Config Profile Binding Map for Tier-1 Logical Router


API will get TLS Config Profile Binding Map for Tier-1 Logical Router.
GET /policy/api/v1/global-infra/tier-1s/<tier1-id>/tls-inspection-config-profile-bindings/<tls-inspection-config-profile-binding-id>
GET /policy/api/v1/infra/tier-1s/<tier1-id>/tls-inspection-config-profile-bindings/<tls-inspection-config-profile-binding-id>

Create or update TLS Config Profile Binding Map for Tier-1 Logical Router


API will create or update TLS Config profile binding map for Tier-1 Logical Router.
PATCH /policy/api/v1/infra/tier-1s/<tier1-id>/tls-inspection-config-profile-bindings/<tls-inspection-config-profile-binding-id>

Create or update TLS Config Profile Binding Map for Tier-1 Logical Router


API will create or update TLS Config profile binding map for Tier-1 Logical Router.
PUT /policy/api/v1/infra/tier-1s/<tier1-id>/tls-inspection-config-profile-bindings/<tls-inspection-config-profile-binding-id>

Get Tls profiles available.


List all the Tls profiles available by requested resource_type.
GET /policy/api/v1/infra/tls-inspection-action-profiles

Delete a Tls profile.


Deletes a Tls profile.
DELETE /policy/api/v1/infra/tls-inspection-action-profiles/<action-profile-id>

Get TLS profile with id.


Return Tls profile.
GET /policy/api/v1/infra/tls-inspection-action-profiles/<action-profile-id>

Create a Tls profile.


Create a Tls profile with values provided. It creates profile based on the resource_type in the payload.
Each action profile supports the following 3 pre-defined config setting defaults:
Balanced, High Fidelity and High Security.

1 - External Profile Balanced (default)
Sample intent path: /infra/tls-inspection-action-profiles/external-balanced-profile
API payload:

{
"tls_config_setting": "BALANCED",
"resource_type": "TlsInspectionExternalProfile",
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2"
}

Profile with default settings:

{
"tls_config_setting": "BALANCED",
"invalid_cert_action": "ALLOW",
"decryption_fail_action": "BYPASS",
"crypto_enforcement": "ENFORCE",
"client_min_tls_version": "TLS_V1_1",
"client_max_tls_version": "TLS_V1_2",
"server_min_tls_version": "TLS_V1_1",
"server_max_tls_version": "TLS_V1_2",
"client_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
],
"server_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
],
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2",
"ocsp_must_staple": false,
"resource_type": "TlsInspectionExternalProfile",
"id": "external-balanced-profile",
"display_name": "external-balanced-profile",
"path": "/infra/tls-inspection-action-profiles/external-balanced-profile",
"relative_path": "external-balanced-profile",
"parent_path": "/infra",
"unique_id": "bb236080-e49d-4475-9eb3-b749b075164a",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622225641015,
"_last_modified_user": "admin",
"_last_modified_time": 1622225641015,
"_revision": 0
}


2 - External Profile High Fidelity
Sample intent path: /infra/tls-inspection-action-profiles/external-high-fidelity-profile
Sample intent path:

{
"tls_config_setting": "HIGH_FIDELITY",
"resource_type": "TlsInspectionExternalProfile",
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2"
}

Profile with default settings:

{
"tls_config_setting": "HIGH_FIDELITY",
"invalid_cert_action": "ALLOW",
"decryption_fail_action": "BYPASS",
"crypto_enforcement": "TRANSPARENT",
"client_min_tls_version": "",
"client_max_tls_version": "",
"server_min_tls_version": "",
"server_max_tls_version": "",
"client_cipher_suite": [],
"server_cipher_suite": [],
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2",
"ocsp_must_staple": false,
"resource_type": "TlsInspectionExternalProfile",
"id": "external-high-fidelity-profile",
"display_name": "external-high-fidelity-profile",
"path": "/infra/tls-inspection-action-profiles/external-high-fidelity-profile",
"relative_path": "external-high-fidelity-profile",
"parent_path": "/infra",
"unique_id": "bb6c8604-c8eb-44dd-aded-7407e0ca887c",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622225537386,
"_last_modified_user": "admin",
"_last_modified_time": 1622225537386,
"_revision": 0
}


3 - External Profile High Security
Sample intent path:/infra/tls-inspection-action-profiles/external-high-security-profile
Sample intent path:

{
"tls_config_setting": "HIGH_SECURITY",
"resource_type": "TlsInspectionExternalProfile",
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2"
}

Profile with default settings:

{
"tls_config_setting": "HIGH_SECURITY",
"invalid_cert_action": "BLOCK",
"decryption_fail_action": "BLOCK",
"crypto_enforcement": "ENFORCE",
"client_min_tls_version": "TLS_V1_2",
"client_max_tls_version": "TLS_V1_2",
"server_min_tls_version": "TLS_V1_2",
"server_max_tls_version": "TLS_V1_2",
"client_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
],
"server_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
],
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2",
"ocsp_must_staple": false,
"resource_type": "TlsInspectionExternalProfile",
"id": "external-high-security-profile",
"display_name": "external-high-security-profile",
"path": "/infra/tls-inspection-action-profiles/external-high-security-profile",
"relative_path": "external-high-security-profile",
"parent_path": "/infra",
"unique_id": "e19cbc40-c679-4f32-9e40-aa5eedf7f254",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622141786963,
"_last_modified_user": "admin",
"_last_modified_time": 1622225387352,
"_revision": 4
}


4 - Internal Profile Balanced
Sample intent path:/infra/tls-inspection-action-profiles/internal-balanced-profile
Sample intent path:

{
"tls_config_setting": "BALANCED",
"resource_type": "TlsInspectionInternalProfile",
"server_certs_key": ["/infra/certificates/server-cert-1"],
"default_cert_key": "/infra/certificates/server-cert-1"
}

Profile with default settings:

{
"tls_config_setting": "BALANCED",
"decryption_fail_action": "BYPASS",
"crypto_enforcement": "ENFORCE",
"client_min_tls_version": "TLS_V1_1",
"client_max_tls_version": "TLS_V1_2",
"server_min_tls_version": "TLS_V1_1",
"server_max_tls_version": "TLS_V1_2",
"client_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
],
"server_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
],
"server_certs_key": [
"/infra/certificates/server-cert-1"
],
"default_cert_key": "/infra/certificates/server-cert-1",
"ocsp_must_staple": false,
"certificate_validation": false,
"resource_type": "TlsInspectionInternalProfile",
"id": "internal-balanced-profile",
"display_name": "internal-balanced-profile",
"path": "/infra/tls-inspection-action-profiles/internal-balanced-profile",
"relative_path": "internal-balanced-profile",
"parent_path": "/infra",
"unique_id": "b8486763-843a-4894-8dfd-5bceebb10cd3",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622071598527,
"_last_modified_user": "admin",
"_last_modified_time": 1622071598527,
"_revision": 0
}


5 - Internal Profile High Fidelity
Sample intent path:/infra/tls-inspection-action-profiles/internal-high-fidelity-profile
Sample intent path:

{
"tls_config_setting": "HIGH_FIDELITY",
"resource_type": "TlsInspectionInternalProfile",
"server_certs_key": ["/infra/certificates/server-cert-1"],
"default_cert_key": "/infra/certificates/server-cert-1"
}

Profile with default settings:

{
"tls_config_setting": "HIGH_FIDELITY",
"decryption_fail_action": "BYPASS",
"crypto_enforcement": "TRANSPARENT",
"client_min_tls_version": "",
"client_max_tls_version": "",
"server_min_tls_version": "",
"server_max_tls_version": "",
"client_cipher_suite": [],
"server_cipher_suite": [],
"server_certs_key": [
"/infra/certificates/server-cert-1"
],
"default_cert_key": "/infra/certificates/server-cert-1",
"ocsp_must_staple": false,
"certificate_validation": false,
"resource_type": "TlsInspectionInternalProfile",
"id": "internal-high-fidelity-profile",
"display_name": "internal-high-fidelity-profile",
"path": "/infra/tls-inspection-action-profiles/internal-high-fidelity-profile",
"relative_path": "internal-high-fidelity-profile",
"parent_path": "/infra",
"unique_id": "27609d17-e642-4a7a-b414-176b3f7eca8d",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622071452299,
"_last_modified_user": "admin",
"_last_modified_time": 1622071452299,
"_revision": 0
}


6 - Internal Profile High Security
Sample intent path:/infra/tls-inspection-action-profiles/internal-high-security-profile
Sample intent path:

{
"tls_config_setting": "HIGH_SECURITY",
"resource_type": "TlsInspectionInternalProfile",
"server_certs_key": ["/infra/certificates/server-cert-1"],
"default_cert_key": "/infra/certificates/server-cert-1"
}


Profile with default settings:

{
"tls_config_setting": "HIGH_SECURITY",
"decryption_fail_action": "BLOCK",
"crypto_enforcement": "ENFORCE",
"client_min_tls_version": "TLS_V1_2",
"client_max_tls_version": "TLS_V1_2",
"server_min_tls_version": "TLS_V1_2",
"server_max_tls_version": "TLS_V1_2",
"client_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
],
"server_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
],
"server_certs_key": [
"/infra/certificates/server-cert-1"
],
"default_cert_key": "/infra/certificates/server-cert-1",
"ocsp_must_staple": false,
"certificate_validation": false,
"resource_type": "TlsInspectionInternalProfile",
"id": "internal-high-security-profile",
"display_name": "internal-high-security-profile",
"path": "/infra/tls-inspection-action-profiles/internal-high-security-profile",
"relative_path": "internal-high-security-profile",
"parent_path": "/infra",
"unique_id": "52e3e7e8-718d-4eaf-a177-501f196c421a",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622071359539,
"_last_modified_user": "admin",
"_last_modified_time": 1622071359539,
"_revision": 0
}

PATCH /policy/api/v1/infra/tls-inspection-action-profiles/<action-profile-id>

Update a Tls profile.


Update user configurable properties of Tls profile.
Each action profile supports the following 3 pre-defined config setting defaults:
Balanced, High Fidelity and High Security.

1 - External Profile Balanced (default)
Sample intent path: /infra/tls-inspection-action-profiles/external-balanced-profile
API payload:

{
"tls_config_setting": "BALANCED",
"resource_type": "TlsInspectionExternalProfile",
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2"
}

Profile with default settings:

{
"tls_config_setting": "BALANCED",
"invalid_cert_action": "ALLOW",
"decryption_fail_action": "BYPASS",
"crypto_enforcement": "ENFORCE",
"client_min_tls_version": "TLS_V1_1",
"client_max_tls_version": "TLS_V1_2",
"server_min_tls_version": "TLS_V1_1",
"server_max_tls_version": "TLS_V1_2",
"client_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
],
"server_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
],
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2",
"ocsp_must_staple": false,
"resource_type": "TlsInspectionExternalProfile",
"id": "external-balanced-profile",
"display_name": "external-balanced-profile",
"path": "/infra/tls-inspection-action-profiles/external-balanced-profile",
"relative_path": "external-balanced-profile",
"parent_path": "/infra",
"unique_id": "bb236080-e49d-4475-9eb3-b749b075164a",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622225641015,
"_last_modified_user": "admin",
"_last_modified_time": 1622225641015,
"_revision": 0
}


2 - External Profile High Fidelity
Sample intent path: /infra/tls-inspection-action-profiles/external-high-fidelity-profile
Sample intent path:

{
"tls_config_setting": "HIGH_FIDELITY",
"resource_type": "TlsInspectionExternalProfile",
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2"
}

Profile with default settings:

{
"tls_config_setting": "HIGH_FIDELITY",
"invalid_cert_action": "ALLOW",
"decryption_fail_action": "BYPASS",
"crypto_enforcement": "TRANSPARENT",
"client_min_tls_version": "",
"client_max_tls_version": "",
"server_min_tls_version": "",
"server_max_tls_version": "",
"client_cipher_suite": [],
"server_cipher_suite": [],
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2",
"ocsp_must_staple": false,
"resource_type": "TlsInspectionExternalProfile",
"id": "external-high-fidelity-profile",
"display_name": "external-high-fidelity-profile",
"path": "/infra/tls-inspection-action-profiles/external-high-fidelity-profile",
"relative_path": "external-high-fidelity-profile",
"parent_path": "/infra",
"unique_id": "bb6c8604-c8eb-44dd-aded-7407e0ca887c",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622225537386,
"_last_modified_user": "admin",
"_last_modified_time": 1622225537386,
"_revision": 0
}


3 - External Profile High Security
Sample intent path:/infra/tls-inspection-action-profiles/external-high-security-profile
Sample intent path:

{
"tls_config_setting": "HIGH_SECURITY",
"resource_type": "TlsInspectionExternalProfile",
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2"
}

Profile with default settings:

{
"tls_config_setting": "HIGH_SECURITY",
"invalid_cert_action": "BLOCK",
"decryption_fail_action": "BLOCK",
"crypto_enforcement": "ENFORCE",
"client_min_tls_version": "TLS_V1_2",
"client_max_tls_version": "TLS_V1_2",
"server_min_tls_version": "TLS_V1_2",
"server_max_tls_version": "TLS_V1_2",
"client_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
],
"server_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
],
"proxy_trusted_ca_cert": "/infra/certificates/caCert1",
"proxy_untrusted_ca_cert": "/infra/certificates/caCert2",
"ocsp_must_staple": false,
"resource_type": "TlsInspectionExternalProfile",
"id": "external-high-security-profile",
"display_name": "external-high-security-profile",
"path": "/infra/tls-inspection-action-profiles/external-high-security-profile",
"relative_path": "external-high-security-profile",
"parent_path": "/infra",
"unique_id": "e19cbc40-c679-4f32-9e40-aa5eedf7f254",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622141786963,
"_last_modified_user": "admin",
"_last_modified_time": 1622225387352,
"_revision": 4
}


4 - Internal Profile Balanced
Sample intent path:/infra/tls-inspection-action-profiles/internal-balanced-profile
Sample intent path:

{
"tls_config_setting": "BALANCED",
"resource_type": "TlsInspectionInternalProfile",
"server_certs_key": ["/infra/certificates/server-cert-1"],
"default_cert_key": "/infra/certificates/server-cert-1"
}

Profile with default settings:

{
"tls_config_setting": "BALANCED",
"decryption_fail_action": "BYPASS",
"crypto_enforcement": "ENFORCE",
"client_min_tls_version": "TLS_V1_1",
"client_max_tls_version": "TLS_V1_2",
"server_min_tls_version": "TLS_V1_1",
"server_max_tls_version": "TLS_V1_2",
"client_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
],
"server_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
],
"server_certs_key": [
"/infra/certificates/server-cert-1"
],
"default_cert_key": "/infra/certificates/server-cert-1",
"ocsp_must_staple": false,
"certificate_validation": false,
"resource_type": "TlsInspectionInternalProfile",
"id": "internal-balanced-profile",
"display_name": "internal-balanced-profile",
"path": "/infra/tls-inspection-action-profiles/internal-balanced-profile",
"relative_path": "internal-balanced-profile",
"parent_path": "/infra",
"unique_id": "b8486763-843a-4894-8dfd-5bceebb10cd3",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622071598527,
"_last_modified_user": "admin",
"_last_modified_time": 1622071598527,
"_revision": 0
}


5 - Internal Profile High Fidelity
Sample intent path:/infra/tls-inspection-action-profiles/internal-high-fidelity-profile
Sample intent path:

{
"tls_config_setting": "HIGH_FIDELITY",
"resource_type": "TlsInspectionInternalProfile",
"server_certs_key": ["/infra/certificates/server-cert-1"],
"default_cert_key": "/infra/certificates/server-cert-1"
}

Profile with default settings:

{
"tls_config_setting": "HIGH_FIDELITY",
"decryption_fail_action": "BYPASS",
"crypto_enforcement": "TRANSPARENT",
"client_min_tls_version": "",
"client_max_tls_version": "",
"server_min_tls_version": "",
"server_max_tls_version": "",
"client_cipher_suite": [],
"server_cipher_suite": [],
"server_certs_key": [
"/infra/certificates/server-cert-1"
],
"default_cert_key": "/infra/certificates/server-cert-1",
"ocsp_must_staple": false,
"certificate_validation": false,
"resource_type": "TlsInspectionInternalProfile",
"id": "internal-high-fidelity-profile",
"display_name": "internal-high-fidelity-profile",
"path": "/infra/tls-inspection-action-profiles/internal-high-fidelity-profile",
"relative_path": "internal-high-fidelity-profile",
"parent_path": "/infra",
"unique_id": "27609d17-e642-4a7a-b414-176b3f7eca8d",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622071452299,
"_last_modified_user": "admin",
"_last_modified_time": 1622071452299,
"_revision": 0
}


6 - Internal Profile High Security
Sample intent path:/infra/tls-inspection-action-profiles/internal-high-security-profile
Sample intent path:

{
"tls_config_setting": "HIGH_SECURITY",
"resource_type": "TlsInspectionInternalProfile",
"server_certs_key": ["/infra/certificates/server-cert-1"],
"default_cert_key": "/infra/certificates/server-cert-1"
}


Profile with default settings:

{
"tls_config_setting": "HIGH_SECURITY",
"decryption_fail_action": "BLOCK",
"crypto_enforcement": "ENFORCE",
"client_min_tls_version": "TLS_V1_2",
"client_max_tls_version": "TLS_V1_2",
"server_min_tls_version": "TLS_V1_2",
"server_max_tls_version": "TLS_V1_2",
"client_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
],
"server_cipher_suite": [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
],
"server_certs_key": [
"/infra/certificates/server-cert-1"
],
"default_cert_key": "/infra/certificates/server-cert-1",
"ocsp_must_staple": false,
"certificate_validation": false,
"resource_type": "TlsInspectionInternalProfile",
"id": "internal-high-security-profile",
"display_name": "internal-high-security-profile",
"path": "/infra/tls-inspection-action-profiles/internal-high-security-profile",
"relative_path": "internal-high-security-profile",
"parent_path": "/infra",
"unique_id": "52e3e7e8-718d-4eaf-a177-501f196c421a",
"marked_for_delete": false,
"overridden": false,
"trusted_ca_bundles": [
"/infra/cabundles/default_trusted_public_ca_bundle"
],
"crls": [
"/infra/crls/nsx_default_public_crl"
],
"idle_connection_timeout": 5400,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_user": "admin",
"_create_time": 1622071359539,
"_last_modified_user": "admin",
"_last_modified_time": 1622071359539,
"_revision": 0
}

PUT /policy/api/v1/infra/tls-inspection-action-profiles/<action-profile-id>

List TLS policies


List all TLS policies.
GET /policy/api/v1/infra/tls-inspection-policies

Delete TlsPolicy


Delete TlsPolicy
DELETE /policy/api/v1/infra/tls-inspection-policies/<policy-id>

Read tls policy


Read TLS policy.
GET /policy/api/v1/infra/tls-inspection-policies/<policy-id>

Update TLS policy


Update the TLS policy. This is a full replace.
All the rules are replaced.
Performance Note: If you want to edit several rules in a TLS policy
use this API. It will perform better than several individual rule APIs.
Just pass all the rules which you wish to edit as embedded rules to it.
PATCH /policy/api/v1/infra/tls-inspection-policies/<policy-id>

Update TLS policy


Update the TLS policy. This is a full replace.
All the rules are replaced.
Performance Note: If you want to edit several rules in a TLS policy,
use this API. It will perform better than several individual rule APIs.
Just pass all the rules which you wish to edit as embedded rules to it.
PUT /policy/api/v1/infra/tls-inspection-policies/<policy-id>

List TLS rules


List TLS rules
GET /policy/api/v1/infra/tls-inspection-policies/<policy-id>/rules

Delete rule


Delete rule
DELETE /policy/api/v1/infra/tls-inspection-policies/<policy-id>/rules/<rule-id>

Read rule


Read rule
GET /policy/api/v1/infra/tls-inspection-policies/<policy-id>/rules/<rule-id>

Update TLS rule


Update the TLS rule.
Create new rule if a rule with the rule-id is not already present.
Performance Note: If you want to edit several rules in a TLS policy,
prefer below mentioned API for optimal performance.
Pass all the rules which you wish to edit as embedded rules to it.
Use this API - PATCH (or PUT)
/infra/tls-inspection-policies/<policy-id>
PATCH /policy/api/v1/infra/tls-inspection-policies/<policy-id>/rules/<rule-id>

Update TLS rule


Update the TLS rule.
Create new rule if a rule with the rule-id is not already present.
Performance Note: If you want to edit several rules in a TLS policy,
prefer below mentioned API for optimal performance.
Pass all the rules which you wish to edit as embedded rules to it.
Use this API - PATCH (or PUT)
/infra/tls-inspection-policies/<policy-id>
PUT /policy/api/v1/infra/tls-inspection-policies/<policy-id>/rules/<rule-id>

Get the list of URL categories.


Gets the list of categories. This will provide all the supported categories
along with their ids. Few examples of these categories are Shopping, Social
Networks, Streaming sites, etc.
GET /policy/api/v1/infra/url-categories

Get the list of reputation severity


Gets the list of reputation severities. This will provide all the supported
severities along with their ids, min and max reputaitons.
The min_reputation and max_reputation
specify the range of the reputations which belong to a particular
severity. For instance, any reputation between 1 to 20 belongs to the
severity 'High Risk'. Similary a reputation between 81 to 100 belong
to the severity 'Trustworthy'.
GET /policy/api/v1/infra/url-reputation-severities

Post User Login/Logout events for IDFW


API to receive User Login and Logout events for IDFW
POST /policy/api/v1/system/input/login-logout-events