Policy > Security > North South Security > Gateway Firewall > Rules
| Name | Description | Type | Notes |
|---|---|---|---|
| anchor_path | The security policy/rule path if operation is 'insert_after' or 'insert_before' | string | |
| operation | Operation | string | Enum: insert_top, insert_bottom, insert_after, insert_before Default: "insert_top" |
| Name | Description | Type | Notes |
|---|---|---|---|
| _create_time | Timestamp of resource creation | EpochMsTimestamp | Readonly Sortable |
| _create_user | ID of the user who created this resource | string | Readonly |
| _last_modified_time | Timestamp of last modification | EpochMsTimestamp | Readonly Sortable |
| _last_modified_user | ID of the user who last modified this resource | string | Readonly |
| _links | References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink | Readonly |
| _protection | Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity. |
string | Readonly |
| _revision | Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int | |
| _schema | Schema for this resource | string | Readonly |
| _self | Link to this resource | SelfResourceLink | Readonly |
| _system_owned | Indicates system owned resource | boolean | Readonly |
| action | Action The action to be applied to all the services The JUMP_TO_APPLICATION action is only supported for rules created in the Environment category. Once a match is hit then the rule processing will jump to the rules present in the Application category, skipping all further rules in the Environment category. If no rules match in the Application category then the default application rule will be hit. This is applicable only for DFW. |
string | Enum: ALLOW, DROP, REJECT, JUMP_TO_APPLICATION |
| children | subtree for this type within policy tree subtree for this type within policy tree containing nested elements. |
array of ChildPolicyConfigResource Children are not allowed for this type |
|
| description | Description of this resource | string | Maximum length: 1024 Sortable |
| destination_groups | Destination group paths We need paths as duplicate names may exist for groups under different domains. Along with paths we support IP Address of type IPv4 and IPv6. IP Address can be in one of the format(CIDR, IP Address, Range of IP Address). In order to specify all groups, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values. |
array of string | Maximum items: 128 |
| destinations_excluded | Negation of destination groups If set to true, the rule gets applied on all the groups that are NOT part of the destination groups. If false, the rule applies to the destination groups |
boolean | Default: "False" |
| direction | Direction Define direction of traffic. |
string | Enum: IN, OUT, IN_OUT Default: "IN_OUT" |
| disabled | Flag to disable the rule Flag to disable the rule. Default is enabled. |
boolean | Default: "False" |
| display_name | Identifier to use when displaying entity in logs or GUI Defaults to ID if not set |
string | Maximum length: 255 Sortable |
| id | Unique identifier of this resource | string | Sortable |
| ip_protocol | IPv4 vs IPv6 packet type Type of IP packet that should be matched while enforcing the rule. The value is set to IPV4_IPV6 for Layer3 rule if not specified. For Layer2/Ether rule the value must be null. |
string | Enum: IPV4, IPV6, IPV4_IPV6 |
| is_default | Default rule flag A flag to indicate whether rule is a default rule. |
boolean | Readonly |
| logged | Enable logging flag Flag to enable packet logging. Default is disabled. |
boolean | Default: "False" |
| marked_for_delete | Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object gets deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects. |
boolean | Readonly Default: "False" |
| notes | Text for additional notes on changes Text for additional notes on changes. |
string | Maximum length: 2048 |
| overridden | Indicates whether this object is the overridden intent object Global intent objects cannot be modified by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties. |
boolean | Readonly Default: "False" |
| parent_path | Path of its parent Path of its parent |
string | Readonly |
| path | Absolute path of this object Absolute path of this object |
string | Readonly |
| profiles | Layer 7 service profiles or TLS action profile Holds the list of layer 7 service profile paths. These profiles accept attributes and sub-attributes of various network services (e.g. L4 AppId, encryption algorithm, domain name, etc) as key value pairs. Instead of Layer 7 service profiles you can use a L7 access profile. One of either Layer 7 service profiles or L7 Access Profile can be used in firewall rule. In case of L7 access profile only one is allowed. |
array of string | Maximum items: 128 |
| realization_id | A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated thier unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent. |
string | Readonly |
| relative_path | Relative path of this object Path relative from its parent |
string | Readonly |
| resource_type | Must be set to the value Rule | string | |
| rule_id | Unique rule ID This is a unique 4 byte positive number that is assigned by the system. This rule id is passed all the way down to the data path. The first 1GB (1000 to 2^30) will be shared by GM and LM with zebra style striped number space. For E.g 1000 to (1Million -1) by LM, (1M - 2M-1) by GM and so on. |
integer | Readonly |
| scope | The list of policy paths where the rule is applied
LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied on multiple LRs/LRPs. |
array of string | Maximum items: 128 |
| sequence_number | Sequence number of the this Rule This field is used to resolve conflicts between multiple Rules under Security or Gateway Policy for a Domain If no sequence number is specified in the payload, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic. If a specific order of rules is desired, then one has to specify unique sequence numbers or use the POST request on the rule entity with a query parameter action=revise to let the framework assign a sequence number |
int | Minimum: 0 |
| service_entries | Raw services In order to specify raw services this can be used, along with services which contains path to services. This can be empty or null. |
array of ServiceEntry (Abstract type: pass one of the following concrete types) ALGTypeServiceEntry EtherTypeServiceEntry ICMPTypeServiceEntry IGMPTypeServiceEntry IPProtocolServiceEntry L4PortSetServiceEntry NestedServiceServiceEntry |
Maximum items: 128 |
| services | Names of services In order to specify all services, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the services array. Error will be thrown if ANY is used in conjunction with other values. |
array of string | Maximum items: 128 |
| source_groups | Source group paths We need paths as duplicate names may exist for groups under different domains. Along with paths we support IP Address of type IPv4 and IPv6. IP Address can be in one of the format(CIDR, IP Address, Range of IP Address). In order to specify all groups, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values. |
array of string | Maximum items: 128 |
| sources_excluded | Negation of source groups If set to true, the rule gets applied on all the groups that are NOT part of the source groups. If false, the rule applies to the source groups |
boolean | Default: "False" |
| tag | Tag applied on the rule User level field which will be printed in CLI and packet logs. Even though there is no limitation on length of a tag, internally tag will get truncated after 32 characters. |
string | |
| tags | Opaque identifiers meaningful to the API user | array of Tag | Maximum items: 30 |
| unique_id | A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entites in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites. |
string | Readonly |
| Name | Description | Type | Notes |
|---|---|---|---|
| _create_time | Timestamp of resource creation | EpochMsTimestamp | Readonly Sortable |
| _create_user | ID of the user who created this resource | string | Readonly |
| _last_modified_time | Timestamp of last modification | EpochMsTimestamp | Readonly Sortable |
| _last_modified_user | ID of the user who last modified this resource | string | Readonly |
| _links | References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink | Readonly |
| _protection | Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity. |
string | Readonly |
| _revision | Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int | |
| _schema | Schema for this resource | string | Readonly |
| _self | Link to this resource | SelfResourceLink | Readonly |
| _system_owned | Indicates system owned resource | boolean | Readonly |
| action | Action The action to be applied to all the services The JUMP_TO_APPLICATION action is only supported for rules created in the Environment category. Once a match is hit then the rule processing will jump to the rules present in the Application category, skipping all further rules in the Environment category. If no rules match in the Application category then the default application rule will be hit. This is applicable only for DFW. |
string | Enum: ALLOW, DROP, REJECT, JUMP_TO_APPLICATION |
| children | subtree for this type within policy tree subtree for this type within policy tree containing nested elements. |
array of ChildPolicyConfigResource Children are not allowed for this type |
|
| description | Description of this resource | string | Maximum length: 1024 Sortable |
| destination_groups | Destination group paths We need paths as duplicate names may exist for groups under different domains. Along with paths we support IP Address of type IPv4 and IPv6. IP Address can be in one of the format(CIDR, IP Address, Range of IP Address). In order to specify all groups, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values. |
array of string | Maximum items: 128 |
| destinations_excluded | Negation of destination groups If set to true, the rule gets applied on all the groups that are NOT part of the destination groups. If false, the rule applies to the destination groups |
boolean | Default: "False" |
| direction | Direction Define direction of traffic. |
string | Enum: IN, OUT, IN_OUT Default: "IN_OUT" |
| disabled | Flag to disable the rule Flag to disable the rule. Default is enabled. |
boolean | Default: "False" |
| display_name | Identifier to use when displaying entity in logs or GUI Defaults to ID if not set |
string | Maximum length: 255 Sortable |
| id | Unique identifier of this resource | string | Sortable |
| ip_protocol | IPv4 vs IPv6 packet type Type of IP packet that should be matched while enforcing the rule. The value is set to IPV4_IPV6 for Layer3 rule if not specified. For Layer2/Ether rule the value must be null. |
string | Enum: IPV4, IPV6, IPV4_IPV6 |
| is_default | Default rule flag A flag to indicate whether rule is a default rule. |
boolean | Readonly |
| logged | Enable logging flag Flag to enable packet logging. Default is disabled. |
boolean | Default: "False" |
| marked_for_delete | Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object gets deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects. |
boolean | Readonly Default: "False" |
| notes | Text for additional notes on changes Text for additional notes on changes. |
string | Maximum length: 2048 |
| overridden | Indicates whether this object is the overridden intent object Global intent objects cannot be modified by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties. |
boolean | Readonly Default: "False" |
| parent_path | Path of its parent Path of its parent |
string | Readonly |
| path | Absolute path of this object Absolute path of this object |
string | Readonly |
| profiles | Layer 7 service profiles or TLS action profile Holds the list of layer 7 service profile paths. These profiles accept attributes and sub-attributes of various network services (e.g. L4 AppId, encryption algorithm, domain name, etc) as key value pairs. Instead of Layer 7 service profiles you can use a L7 access profile. One of either Layer 7 service profiles or L7 Access Profile can be used in firewall rule. In case of L7 access profile only one is allowed. |
array of string | Maximum items: 128 |
| realization_id | A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated thier unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent. |
string | Readonly |
| relative_path | Relative path of this object Path relative from its parent |
string | Readonly |
| resource_type | Must be set to the value Rule | string | |
| rule_id | Unique rule ID This is a unique 4 byte positive number that is assigned by the system. This rule id is passed all the way down to the data path. The first 1GB (1000 to 2^30) will be shared by GM and LM with zebra style striped number space. For E.g 1000 to (1Million -1) by LM, (1M - 2M-1) by GM and so on. |
integer | Readonly |
| scope | The list of policy paths where the rule is applied
LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied on multiple LRs/LRPs. |
array of string | Maximum items: 128 |
| sequence_number | Sequence number of the this Rule This field is used to resolve conflicts between multiple Rules under Security or Gateway Policy for a Domain If no sequence number is specified in the payload, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic. If a specific order of rules is desired, then one has to specify unique sequence numbers or use the POST request on the rule entity with a query parameter action=revise to let the framework assign a sequence number |
int | Minimum: 0 |
| service_entries | Raw services In order to specify raw services this can be used, along with services which contains path to services. This can be empty or null. |
array of ServiceEntry (Abstract type: pass one of the following concrete types) ALGTypeServiceEntry EtherTypeServiceEntry ICMPTypeServiceEntry IGMPTypeServiceEntry IPProtocolServiceEntry L4PortSetServiceEntry NestedServiceServiceEntry |
Maximum items: 128 |
| services | Names of services In order to specify all services, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the services array. Error will be thrown if ANY is used in conjunction with other values. |
array of string | Maximum items: 128 |
| source_groups | Source group paths We need paths as duplicate names may exist for groups under different domains. Along with paths we support IP Address of type IPv4 and IPv6. IP Address can be in one of the format(CIDR, IP Address, Range of IP Address). In order to specify all groups, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values. |
array of string | Maximum items: 128 |
| sources_excluded | Negation of source groups If set to true, the rule gets applied on all the groups that are NOT part of the source groups. If false, the rule applies to the source groups |
boolean | Default: "False" |
| tag | Tag applied on the rule User level field which will be printed in CLI and packet logs. Even though there is no limitation on length of a tag, internally tag will get truncated after 32 characters. |
string | |
| tags | Opaque identifiers meaningful to the API user | array of Tag | Maximum items: 30 |
| unique_id | A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entites in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites. |
string | Readonly |