Management Plane API > Security > Services > Firewall
| Name | Description | Type | Notes |
|---|---|---|---|
| id | Identifier of the anchor rule or section. This is a required field in case operation like 'insert_before' and 'insert_after'. | string | Maximum length: 64 |
| operation | Operation | string | Enum: insert_top, insert_bottom, insert_after, insert_before Default: "insert_top" |
| Name | Description | Type | Notes |
|---|---|---|---|
| _create_time | Timestamp of resource creation | EpochMsTimestamp | Readonly Sortable |
| _create_user | ID of the user who created this resource | string | Readonly |
| _last_modified_time | Timestamp of last modification | EpochMsTimestamp | Readonly Sortable |
| _last_modified_user | ID of the user who last modified this resource | string | Readonly |
| _links | References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink | Readonly |
| _protection | Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity. |
string | Readonly |
| _revision | Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int | |
| _schema | Schema for this resource | string | Readonly |
| _self | Link to this resource | SelfResourceLink | Readonly |
| _system_owned | Indicates system owned resource | boolean | Readonly |
| applied_tos | AppliedTo List List of objects where the rules in this section will be enforced. This will take precedence over rule level appliedTo. |
array of ResourceReference | Maximum items: 128 |
| autoplumbed | Tells if a section is auto-plumbed or not This flag indicates whether it is an auto-plumbed section that is associated to a LogicalRouter. Auto-plumbed sections are system owned and cannot be updated via the API. |
boolean | Readonly Default: "False" |
| category | Section category Category from policy framework. |
string | Readonly |
| comments | Section lock/unlock comments Comments for section lock/unlock. |
string | Readonly |
| description | Description of this resource | string | Maximum length: 1024 Sortable |
| display_name | Identifier to use when displaying entity in logs or GUI Defaults to ID if not set |
string | Maximum length: 255 Sortable |
| enforced_on | Firewall Section Enforcement type This attribute represents enforcement point of firewall section. For example, firewall section enforced on logical port with attachment type bridge endpoint will have 'BRIDGEENDPOINT' value, firewall section enforced on logical router will have 'LOGICALROUTER' value and rest have 'VIF' value. |
string | Readonly |
| firewall_schedule | Firewall Schedule Reference Reference of the firewall schedule during which this section will be valid. |
ResourceReference | |
| id | Unique identifier of this resource | string | Sortable |
| is_default | Default section flag It is a boolean flag which reflects whether a distributed service section is default section or not. Each Layer 3 and Layer 2 section will have at least and at most one default section. |
boolean | Readonly |
| lock_modified_by | Lock modified by user ID of the user who last modified the lock for the section. |
string | Readonly |
| lock_modified_time | Section locked/unlocked time Section locked/unlocked time in epoch milliseconds. |
EpochMsTimestamp | Readonly |
| locked | Section Locked Section is locked/unlocked. |
boolean | Readonly Default: "False" |
| priority | Section priority Priority of current section with respect to other sections. In case the field is empty, the list section api should be used to get section priority. |
integer | Readonly |
| resource_type | Must be set to the value FirewallSection | string | |
| rule_count | Rule count Number of rules in this section. |
integer | Readonly |
| section_type | Section Type Type of the rules which a section can contain. Only homogeneous sections are supported. |
string | Required Enum: LAYER2, LAYER3, L3REDIRECT, IDS |
| stateful | Stateful nature of the distributed service rules in the section. Stateful or Stateless nature of distributed service section is enforced on all rules inside the section. Layer3 sections can be stateful or stateless. Layer2 sections can only be stateless. |
boolean | Required |
| tags | Opaque identifiers meaningful to the API user | array of Tag | Maximum items: 30 |
| tcp_strict | TCP Strict If TCP strict is enabled on a section and a packet matches rule in it, the following check will be performed. If the packet does not belong to an existing session, the kernel will check to see if the SYN flag of the packet is set. If it is not, then it will drop the packet. |
boolean | Default: "False" |
| Name | Description | Type | Notes |
|---|---|---|---|
| _create_time | Timestamp of resource creation | EpochMsTimestamp | Readonly Sortable |
| _create_user | ID of the user who created this resource | string | Readonly |
| _last_modified_time | Timestamp of last modification | EpochMsTimestamp | Readonly Sortable |
| _last_modified_user | ID of the user who last modified this resource | string | Readonly |
| _links | References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink | Readonly |
| _protection | Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity. |
string | Readonly |
| _revision | Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int | |
| _schema | Schema for this resource | string | Readonly |
| _self | Link to this resource | SelfResourceLink | Readonly |
| _system_owned | Indicates system owned resource | boolean | Readonly |
| applied_tos | AppliedTo List List of objects where the rules in this section will be enforced. This will take precedence over rule level appliedTo. |
array of ResourceReference | Maximum items: 128 |
| autoplumbed | Tells if a section is auto-plumbed or not This flag indicates whether it is an auto-plumbed section that is associated to a LogicalRouter. Auto-plumbed sections are system owned and cannot be updated via the API. |
boolean | Readonly Default: "False" |
| category | Section category Category from policy framework. |
string | Readonly |
| comments | Section lock/unlock comments Comments for section lock/unlock. |
string | Readonly |
| description | Description of this resource | string | Maximum length: 1024 Sortable |
| display_name | Identifier to use when displaying entity in logs or GUI Defaults to ID if not set |
string | Maximum length: 255 Sortable |
| enforced_on | Firewall Section Enforcement type This attribute represents enforcement point of firewall section. For example, firewall section enforced on logical port with attachment type bridge endpoint will have 'BRIDGEENDPOINT' value, firewall section enforced on logical router will have 'LOGICALROUTER' value and rest have 'VIF' value. |
string | Readonly |
| firewall_schedule | Firewall Schedule Reference Reference of the firewall schedule during which this section will be valid. |
ResourceReference | |
| id | Unique identifier of this resource | string | Sortable |
| is_default | Default section flag It is a boolean flag which reflects whether a distributed service section is default section or not. Each Layer 3 and Layer 2 section will have at least and at most one default section. |
boolean | Readonly |
| lock_modified_by | Lock modified by user ID of the user who last modified the lock for the section. |
string | Readonly |
| lock_modified_time | Section locked/unlocked time Section locked/unlocked time in epoch milliseconds. |
EpochMsTimestamp | Readonly |
| locked | Section Locked Section is locked/unlocked. |
boolean | Readonly Default: "False" |
| priority | Section priority Priority of current section with respect to other sections. In case the field is empty, the list section api should be used to get section priority. |
integer | Readonly |
| resource_type | Must be set to the value FirewallSection | string | |
| rule_count | Rule count Number of rules in this section. |
integer | Readonly |
| section_type | Section Type Type of the rules which a section can contain. Only homogeneous sections are supported. |
string | Required Enum: LAYER2, LAYER3, L3REDIRECT, IDS |
| stateful | Stateful nature of the distributed service rules in the section. Stateful or Stateless nature of distributed service section is enforced on all rules inside the section. Layer3 sections can be stateful or stateless. Layer2 sections can only be stateless. |
boolean | Required |
| tags | Opaque identifiers meaningful to the API user | array of Tag | Maximum items: 30 |
| tcp_strict | TCP Strict If TCP strict is enabled on a section and a packet matches rule in it, the following check will be performed. If the packet does not belong to an existing session, the kernel will check to see if the SYN flag of the packet is set. If it is not, then it will drop the packet. |
boolean | Default: "False" |