Read an Existing Rule

Return existing firewall rule information.

Request:

Method:

GET

URI Path(s):

/api/v1/firewall/rules/<rule-id>

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request:

GET https://<nsx-mgr>/api/v1/firewall/rules/111616

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

FirewallRule+

FirewallRule (schema)

Name	Description	Type	Notes
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_owner	Owner of this resource	OwnerResourceLink	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
action	Action Action enforced on the packets which matches the distributed service rule. Currently DS Layer supports below actions. ALLOW - Forward any packet when a rule with this action gets a match (Used by Firewall). DROP - Drop any packet when a rule with this action gets a match. Packets won't go further(Used by Firewall). REJECT - Terminate TCP connection by sending TCP reset for a packet when a rule with this action gets a match (Used by Firewall). REDIRECT - Redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DO_NOT_REDIRECT - Do not redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DETECT - Detect IDS Signatures.	string	Required Enum: ALLOW, DROP, REJECT, REDIRECT, DO_NOT_REDIRECT, DETECT
applied_tos	AppliedTo List List of object where rule will be enforced. The section level field overrides this one. Null will be treated as any.	array of ResourceReference	Maximum items: 128
context_profiles	Context Profiles NS Profile object which accepts attributes and sub-attributes of various network services (ex. L7 AppId, domain name, encryption algorithm) as key value pairs.	array of ResourceReference	Maximum items: 128
description	Description of this resource	string	Maximum length: 1024 Sortable
destinations	Destination List List of the destinations. Null will be treated as any.	array of ResourceReference	Maximum items: 128
destinations_excluded	Negation of destination Negation of the destination.	boolean	Default: "False"
direction	Rule direction Rule direction in case of stateless distributed service rules. This will only considered if section level parameter is set to stateless. Default to IN_OUT if not specified.	string	Enum: IN, OUT, IN_OUT Default: "IN_OUT"
disabled	Rule enable/disable flag Flag to disable rule. Disabled will only be persisted but never provisioned/realized.	boolean	Default: "False"
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
extended_sources	Extended Sources List of NSGroups that have end point attributes like AD Groups(SID), process name, process hash etc. For Flash release, only NSGroups containing AD Groups are supported.	array of ResourceReference	Maximum items: 128
id	Identifier of the resource	string	Readonly
ip_protocol	IPv4 vs IPv6 packet type Type of IP packet that should be matched while enforcing the rule.	string	Enum: IPV4, IPV6, IPV4_IPV6 Default: "IPV4_IPV6"
is_default	Default rule Flag to indicate whether rule is default.	boolean	Readonly
logged	Enable logging flag Flag to enable packet logging. Default is disabled.	boolean	Default: "False"
notes	Notes User notes specific to the rule.	string	Maximum length: 2048
priority	Rule priority Priority of the rule.	integer	Readonly
resource_type	Must be set to the value FirewallRule	string
rule_tag	Tag User level field which will be printed in CLI and packet logs.	string	Maximum length: 32
section_id	Section Id Section Id of the section to which this rule belongs to.	string	Readonly
services	Service List List of the services. Null will be treated as any.	array of FirewallService	Maximum items: 128
sources	Source List List of sources. Null will be treated as any.	array of ResourceReference	Maximum items: 128
sources_excluded	Negation of source Negation of the source.	boolean	Default: "False"

Example Response:

{ "id": "111616", "display_name": "allow-icmp", "notes": "", "destinations_excluded": false, "destinations": [ { target_display_name": "app-switch", "is_valid": true, "target_type": "LogicalSwitch", "target_id": "1d9fb5cb-0344-4d7f-899a-afd93276899f" }, { "target_display_name": "web-switch", "is_valid": true, "target_type": "LogicalSwitch", "target_id": "b489b427-9f14-401e-81db-d1105a1917fe" } ], "services": [ { "service": { "resource_type": "ICMPTypeNSService", "icmp_type": 8, "protocol": "ICMPv4", "icmp_code": 0 } } ], "ip_protocol": "IPV4_IPV6", "rule_tag": "", "logged": false, "action": "ALLOW", "sources_excluded": false, "disabled": false, "direction": "IN_OUT", "section_id": "16a93c39-5822-469e-b0be-70728153642e", "_revision": 3 }

Read an Existing Rule

Request:

Example Request:

Successful Response:

FirewallRule (schema)

Example Response:

Required Permissions:

Feature:

Additional Errors: