{
"extends": {
"$ref": "DSRule
},
"id": "FirewallRule",
"module_id": "Firewall",
"properties": {
"_links": {
"description": "The server will populate this field when returing the resource. Ignored on PUT and POST.",
"items": {
"$ref": "ResourceLink
},
"readonly": true,
"title": "References related to this resource",
"type": "array"
},
"_owner": {
"$ref": "OwnerResourceLink,
"readonly": true,
"title": "Owner of this resource"
},
"_revision": {
"description": "The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.",
"title": "Generation of this resource config",
"type": "int"
},
"_schema": {
"readonly": true,
"title": "Schema for this resource",
"type": "string"
},
"_self": {
"$ref": "SelfResourceLink,
"readonly": true,
"title": "Link to this resource"
},
"action": {
"description": "Action enforced on the packets which matches the distributed service rule. Currently DS Layer supports below actions. ALLOW - Forward any packet when a rule with this action gets a match (Used by Firewall). DROP - Drop any packet when a rule with this action gets a match. Packets won't go further(Used by Firewall). REJECT - Terminate TCP connection by sending TCP reset for a packet when a rule with this action gets a match (Used by Firewall). REDIRECT - Redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DO_NOT_REDIRECT - Do not redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DETECT - Detect IDS Signatures.",
"enum": [
"ALLOW",
"DROP",
"REJECT",
"REDIRECT",
"DO_NOT_REDIRECT",
"DETECT"
],
"readonly": false,
"required": true,
"title": "Action",
"type": "string"
},
"applied_tos": {
"description": "List of object where rule will be enforced. The section level field overrides this one. Null will be treated as any.",
"items": {
"$ref": "ResourceReference
},
"maxItems": 128,
"readonly": false,
"required": false,
"title": "AppliedTo List",
"type": "array"
},
"context_profiles": {
"description": "NS Profile object which accepts attributes and sub-attributes of various network services (ex. L7 AppId, domain name, encryption algorithm) as key value pairs.",
"items": {
"$ref": "ResourceReference
},
"maxItems": 128,
"title": "Context Profiles",
"type": "array"
},
"description": {
"can_sort": true,
"maxLength": 1024,
"title": "Description of this resource",
"type": "string"
},
"destinations": {
"description": "List of the destinations. Null will be treated as any.",
"items": {
"$ref": "ResourceReference
},
"maxItems": 128,
"readonly": false,
"required": false,
"title": "Destination List",
"type": "array"
},
"destinations_excluded": {
"default": false,
"description": "Negation of the destination.",
"readonly": false,
"required": false,
"title": "Negation of destination",
"type": "boolean"
},
"direction": {
"default": "IN_OUT",
"description": "Rule direction in case of stateless distributed service rules. This will only considered if section level parameter is set to stateless. Default to IN_OUT if not specified.",
"enum": [
"IN",
"OUT",
"IN_OUT"
],
"readonly": false,
"required": false,
"title": "Rule direction",
"type": "string"
},
"disabled": {
"default": false,
"description": "Flag to disable rule. Disabled will only be persisted but never provisioned/realized.",
"readonly": false,
"required": false,
"title": "Rule enable/disable flag",
"type": "boolean"
},
"display_name": {
"can_sort": true,
"description": "Defaults to ID if not set",
"maxLength": 255,
"title": "Identifier to use when displaying entity in logs or GUI",
"type": "string"
},
"extended_sources": {
"description": "List of NSGroups that have end point attributes like AD Groups(SID), process name, process hash etc. For Flash release, only NSGroups containing AD Groups are supported.",
"items": {
"$ref": "ResourceReference
},
"maxItems": 128,
"title": "Extended Sources",
"type": "array"
},
"id": {
"description": "Identifier of the resource",
"readonly": true,
"required": false,
"type": "string"
},
"ip_protocol": {
"default": "IPV4_IPV6",
"description": "Type of IP packet that should be matched while enforcing the rule.",
"enum": [
"IPV4",
"IPV6",
"IPV4_IPV6"
],
"readonly": false,
"required": false,
"title": "IPv4 vs IPv6 packet type",
"type": "string"
},
"is_default": {
"description": "Flag to indicate whether rule is default.",
"readonly": true,
"required": false,
"title": "Default rule",
"type": "boolean"
},
"logged": {
"default": false,
"description": "Flag to enable packet logging. Default is disabled.",
"readonly": false,
"required": false,
"title": "Enable logging flag",
"type": "boolean"
},
"notes": {
"description": "User notes specific to the rule.",
"maxLength": 2048,
"readonly": false,
"required": false,
"title": "Notes",
"type": "string"
},
"priority": {
"description": "Priority of the rule.",
"readonly": true,
"required": false,
"title": "Rule priority",
"type": "integer"
},
"resource_type": {
"description": "The type of this resource.",
"readonly": false,
"type": "string"
},
"rule_tag": {
"description": "User level field which will be printed in CLI and packet logs.",
"maxLength": 32,
"readonly": false,
"required": false,
"title": "Tag",
"type": "string"
},
"section_id": {
"description": "Section Id of the section to which this rule belongs to.",
"readonly": true,
"required": false,
"title": "Section Id",
"type": "string"
},
"services": {
"description": "List of the services. Null will be treated as any.",
"items": {
"$ref": "FirewallService
},
"maxItems": 128,
"readonly": false,
"required": false,
"title": "Service List",
"type": "array"
},
"sources": {
"description": "List of sources. Null will be treated as any.",
"items": {
"$ref": "ResourceReference
},
"maxItems": 128,
"readonly": false,
"required": false,
"title": "Source List",
"type": "array"
},
"sources_excluded": {
"default": false,
"description": "Negation of the source.",
"readonly": false,
"required": false,
"title": "Negation of source",
"type": "boolean"
}
},
"type": "object"
}