Policy > Security > East West Security > Distributed Firewall

Associated URIs:

API Description API Path

List communication maps


List all communication maps for a domain.
This API is deprecated. Please use the following API instead.
GET /infra/domains/domain-id/security-policies
GET /policy/api/v1/infra/domains/<domain-id>/communication-maps (Deprecated)

Deletes a communication map from this domain


Deletes the communication map along with all the communication entries
This API is deprecated. Please use the following API instead.
DELETE /infra/domains/domain-id/security-policies/security-policy-id
DELETE /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id> (Deprecated)

Read communication-map


Read communication-map for a domain.
This API is deprecated. Please use the following API instead.
GET /infra/domains/domain-id/security-policies/security-policy-id
GET /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id> (Deprecated)

Patch communication map


Patch the communication map for a domain. If a communication map for the
given communication-map-id is not present, the object will get created and
if it is present it will be updated. This is a full replace
This API is deprecated. Please use the following API instead.
PATCH /infra/domains/domain-id/security-policies/security-policy-id
PATCH /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id> (Deprecated)

Revise the positioning of communication maps


This is used to set a precedence of a communication map w.r.t others.
This API is deprecated. Please use the following API instead.
POST /infra/domains/domain-id/security-policies/security-policy-id?action=revise
POST /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>?action=revise (Deprecated)

Create or Update communication map


Create or Update the communication map for a domain. This is a full replace.
All the CommunicationEntries are replaced.
This API is deprecated. Please use the following API instead.
PUT /infra/domains/domain-id/security-policies/security-policy-id
PUT /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id> (Deprecated)

List CommunicationEntries


List CommunicationEntries
This API is deprecated. Please use the following API instead.
GET /infra/domains/domain-id/security-policies/security-policy-id/rules
GET /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries (Deprecated)

Delete CommunicationEntry


Delete CommunicationEntry
This API is deprecated. Please use the following API instead.
DELETE /infra/domains/domain-id/security-policies/security-policy-id/rules/rule-id
DELETE /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries/<communication-entry-id> (Deprecated)

Read CommunicationEntry


Read CommunicationEntry
This API is deprecated. Please use the following API instead.
GET /infra/domains/domain-id/security-policies/security-policy-id/rules/rule-id
GET /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries/<communication-entry-id> (Deprecated)

Patch a CommunicationEntry


Patch the CommunicationEntry. If a communication entry for the given
communication-entry-id is not present, the object will get created and if
it is present it will be updated. This is a full replace
This API is deprecated. Please use the following API instead.
PATCH /infra/domains/domain-id/security-policies/security-policy-id/rules/rule-id
PATCH /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries/<communication-entry-id> (Deprecated)

Revise the positioning of communication entry


This is used to re-order a communictation entry within a communication map.
This API is deprecated. Please use the following API instead.
POST /infra/domains/domain-id/security-policies/security-policy-id/rules/rule-id?action=revise
POST /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries/<communication-entry-id>?action=revise (Deprecated)

Create or update a CommunicationEntry


Update the CommunicationEntry. If a CommunicationEntry with the communication-entry-id
is not already present, this API fails with a 404. Creation of CommunicationEntries
is not allowed using this API.
This API is deprecated. Please use the following API instead
PUT /infra/domains/domain-id/security-policies/securit-policy-id/rules/rule-id
PUT /policy/api/v1/infra/domains/<domain-id>/communication-maps/<communication-map-id>/communication-entries/<communication-entry-id> (Deprecated)

List security policies


List all security policies for a domain.
GET /policy/api/v1/infra/domains/<domain-id>/security-policies
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies

Deletes a security policy from this domain


Deletes the security policy along with all the rules
DELETE /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>

Read security policy


Read security policy for a domain.
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies/<security-policy-id>
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>

Patch security policy


Patch the security policy for a domain. If a security policy for the given
security-policy-id is not present, the object will get created and if it is
present it will be updated. This is a full replace.
Performance Note: If you want to edit several rules in a security policy
use this API. It will perform better than several individual rule APIs.
Just pass all the rules which you wish to edit as embedded rules to it.
PATCH /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>

Revise the positioning of security policies


This is used to set a precedence of a security policy w.r.t others.
POST /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>?action=revise

Create or Update security policy


Create or Update the security policy for a domain. This is a full replace.
All the rules are replaced.
Performance Note: If you want to edit several rules in a security policy,
use this API. It will perform better than several individual rule APIs.
Just pass all the rules which you wish to edit as embedded rules to it.
PUT /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>

List all container cluster span of a security policy


List all container cluster span of a security policy
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/container-cluster-span

Deletes a security policy from this domain


Deletes the security policy along with all the rules
DELETE /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/container-cluster-span/<antrea-cluster-1>

Read container cluster for a security policy


Read container cluster for a security policy.
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/container-cluster-span/<antrea-cluster-1>

Add a container cluster as a span of this security policy


Add a container cluster as a span of this security policy.
If there already exists another object containing the same container cluster
path, an error will be thrown. The container cluster path cannot be modified
If the path has to be modified, then delete this entity and add a new entity
with the desired container cluster path
PATCH /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/container-cluster-span/<container-cluster-id>

Add a container cluster as a span of this security policy


Add a container cluster as a span of this security policy.
If there already exists another object containing the same container cluster
path, an error will be thrown. The container cluster path cannot be modified
If the path has to be modified, then delete this entity and add a new entity
with the desired container cluster path
PUT /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/container-cluster-span/<container-cluster-id>

List rules


List rules
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies/<security-policy-id>/rules
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules

Delete rule


Delete rule
DELETE /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>

Read rule


Read rule
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>

Patch a rule


Patch the rule. If Rule corresponding to the the given rule-id is
not present, the object will get created and if it is present it will be
updated. This is a full replace.
Performance Note: If you want to edit several rules in a security policy,
prefer below mentioned API for optimal performance.
Pass all the rules which you wish to edit as embedded rules to it.
Use this API - PATCH (or PUT)
/infra/domains/<domain-id>/security-policies/<security-policy-id>
PATCH /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>

Revise the positioning of rule


This is used to re-order a rule within a security policy.
POST /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>?action=revise

Create or update a rule


Update the rule. Create new rule if a rule with the rule-id is not already
present.
Performance Note: If you wish to edit several rules in a security policy,
prefer below mentioned API for optimal performance.
Pass all the rules which you wish to edit as embedded rules to it.
Use this API - PATCH (or PUT)
/infra/domains/<domain-id>/security-policies/<security-policy-id>
PUT /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>

Get rule statistics


Get statistics of a rule.
- no enforcement point path specified: Stats will be evaluated on each enforcement
point.
- {enforcement_point_path}: Stats are evaluated only on the given enforcement point.
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>/statistics
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>/statistics

Get security policy statistics


Get statistics of a security policy.
- no enforcement point path specified: Stats will be evaluated on each enforcement
point.
- {enforcement_point_path}: Stats are evaluated only on the given enforcement point.
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/statistics
GET /policy/api/v1/global-infra/domains/<domain-id>/security-policies/<security-policy-id>/statistics

List policy drafts


List policy drafts.
GET /policy/api/v1/infra/drafts

Delete a manual draft


Delete a manual draft.
DELETE /policy/api/v1/infra/drafts/<draft-id>

Read draft


Read a draft for a given draft identifier.
GET /policy/api/v1/infra/drafts/<draft-id>

Patch a manual draft


Create a new manual draft if the specified draft id does not correspond
to an existing draft. Update the manual draft otherwise.
Auto draft can not be updated.
PATCH /policy/api/v1/infra/drafts/<draft-id>

Publish a draft


Read a draft and publish it by applying changes onto current configuration.
If there are additional changes on top of draft configuration, pass it as a
request body, in form of Infra object. Otherwise, if there are no additional
changes, then pass empty Infra object as a request body.
POST /policy/api/v1/infra/drafts/<draft-id>?action=publish

Create or update a manual draft


Create a new manual draft if the specified draft id does not correspond
to an existing draft. Update the manual draft otherwise.
Auto draft can not be updated.
PUT /policy/api/v1/infra/drafts/<draft-id>

Get an aggregated configuration for the draft


Get an aggregated configuration that will get applied onto current
configuration during publish of this draft.
The response is a hierarchical payload containing the aggregated
configuration differences from the latest auto draft till the specified draft.
GET /policy/api/v1/infra/drafts/<draft-id>/aggregated

Get paginated aggregated configuration for the draft


Get a paginated aggregated configuration of a given draft. This aggregated
configuration is the differnece between the current published firewall
configuration and a firewall configuration stored in a given draft.
For an initial API call, if request_id is present in a response, then this is
a paginated aggregated configuration of a given draft, containing all the
security policies from the aggregated configuration.
Using this request_id, more granular aggregated configuration, at security
policy level, can be fetched from subsequent API calls.
Absence of request_id suggests that whole aggregated configuration has been
returned as a response to initial API call, as the size of aggregated
configuration is not big enough to need pagination.
GET /policy/api/v1/infra/drafts/<draft-id>/aggregated_with_pagination

Get a preview of a configuration after publish of a draft


Get a preview of a configuration which will be present after publish of
a specified draft. The response essentially is a hierarchical payload
containing the configuration, which will be in active after a specified
draft gets published onto current configuration.
GET /policy/api/v1/infra/drafts/<draft-id>/complete

Test a directory domain event log server connectivity


This API tests a event log server connectivity before the actual domain or event log server is configured. If the connectivity is good, the response will be HTTP status 200. Otherwise the response will be HTTP status 200 and a corresponding error message will be returned.
POST /policy/api/v1/infra/firewall-identity-store-event-log-servers/status

Test a directory domain LDAP server connectivity


This API tests a LDAP server connectivity before the actual domain or LDAP server is configured. If the connectivity is good, the response will be HTTP status 200. Otherwise the response will be HTTP status 500 and corresponding error message will be returned.
POST /policy/api/v1/infra/firewall-identity-store-ldap-server

Scan the size of a directory domain


This call scans the size of a directory domain. It may be very | expensive to run this call in some AD domain deployments. Please | use it with caution.
POST /policy/api/v1/infra/firewall-identity-store-size

List all firewall identity stores


List all firewall identity stores
GET /policy/api/v1/infra/firewall-identity-stores

Fetch all organization units for a LDAP server.


POST /policy/api/v1/infra/firewall-identity-stores-org-units

Delete firewall identity store


If the firewall identity store is removed, it will stop the identity
store synchronization. User will not be able to define new IDFW rules
DELETE /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>

Read firewall identity store


Return a firewall identity store based on the store identifier
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>

Create or update a firewall identity store


If a firewall identity store with the firewall-identity-store-id
is not already present, create a new firewall identity store. If it
already exists, update the firewall identity store with specified
attributes.
PATCH /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>

Invoke full sync or delta sync for a specific domain, with additional delay in seconds if needed. Stop sync will try to stop any pending sync if any to return to idle state.


POST /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>

Create or update a firewall identity store


If a firewall identity store with the firewall-identity-store-id
is not already present, create a new firewall identity store. If it
already exists, replace the firewall identity store instance with
the new object.
PUT /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>

Delete a Event Log server for Firewall Identity store


DELETE /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/event-log-servers/<event-log-server-id>

Get a specific Event Log server for a given Firewall Identity store


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/event-log-servers/<event-log-server-id>

Update a event log server for Firewall Identity store


PUT /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/event-log-servers/<event-log-server-id>

Search for directory groups within a domain based on the substring of a distinguished name. (e.g. CN=User,DC=acme,DC=com) The search filter pattern can optionally support multiple (up to 100 maximum) search pattern separated by '|' (url encoded %7C). In this case, the search results will be returned as the union of all matching criteria. (e.g. CN=Ann,CN=Users,DC=acme,DC=com|CN=Bob,CN=Users,DC=acme,DC=com)


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/groups

List members of a directory group


A member group could be either direct member of the group specified by group_id or nested member of it. Both direct member groups and nested member groups are returned. Directory group member sync must be enabled to get the correct results.
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/groups/<group-id>/member-groups

List all configured domain LDAP servers


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers

Delete a LDAP server for Firewall Identity store


DELETE /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>

Get a specific LDAP server for a given Firewall Identity store


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>

Create a LDAP server for Firewall Identity store


More than one LDAP server can be created and only one LDAP
server is used to synchronize directory objects. If more
than one LDAP server is configured, NSX will try all the
servers until it is able to successfully connect to one.
PATCH /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>

Test a LDAP server connection for directory domain


The API tests a LDAP server connection for an already configured domain. If the connection is successful, the response will be HTTP status 200. Otherwise the response will be HTTP status 500 and corresponding error message will be returned.
POST /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>

Update a LDAP server for Firewall Identity store


PUT /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>

Fetch all organization units for a Firewall Identity Store.


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/org-units

Get Firewall identity store sync statistics for the given identifier


GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/sync-stats

Get PolicyFirewallSchedulers


Get all PolicyFirewallSchedulers
GET /policy/api/v1/infra/firewall-schedulers

Delete Policy Firewall Scheduler


Deletes the specified PolicyFirewallScheduler. If scheduler
is consumed in a security policy, it won't get deleted.
DELETE /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>

Get PolicyFirewallScheduler


Get a PolicyFirewallScheduler by id
GET /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>

Create or Update PolicyFirewallScheduler


Creates/Updates a PolicyFirewallScheduler, which can be set at security
policy. Note that at least one property out of "days", "start_date",
"time_interval", "end_date" is required if "recurring" field is true. Also
"start_time" and "end_time" should not be present. And if "recurring"
field is false then "start_date" and "end_date" is mandatory, "start_time"
and "end_time" is optional. Also the fields "days" and "time_interval"
should not be present.
PATCH /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>

Create or Update PolicyFirewallScheduler


Updates a PolicyFirewallScheduler, which can be set at security policy.
Note that at least one property out of "days", "start_date",
"time_interval", "end_date" is required if "recurring" field is true. Also
"start_time" and "end_time" should not be present. And if "recurring"
field is false then "start_date" and "end_date" is mandatory, "start_time"
and "end_time" is optional. Also the fields "days" and "time_interval"
should not be present.
PUT /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>

Download exported file


Download the exported file generated from the last export task.
GET /policy/api/v1/infra/settings/firewall/export?action=download

Get the information of export task


Get the information of the latest export task.
GET /policy/api/v1/infra/settings/firewall/export

Cancel a running export task


This operation cancels an export task. Task needs to be in running state.
POST /policy/api/v1/infra/settings/firewall/export?action=cancel

Invoke export task


Invoke export task. There can be only one export task run at any point of
time. Hence invocation of another export task will be discarded, when there
exist an already running export task.
Exported configuration will be in a CSV format. This CSV file will be zipped
into a ZIP file, that can be downloaded after the completion of export task.
POST /policy/api/v1/infra/settings/firewall/export

List compute cluster idfw Configuration


API will list all compute cluster wise identity firewall configuration
GET /policy/api/v1/infra/settings/firewall/idfw/cluster

Delete compute cluster idfw configuration


Delete compute cluster identity firewall configuration.
DELETE /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>

Read compute cluster idfw configuration


Read compute cluster identity firewall configuration
GET /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>

Patch compute cluster idfw configuration


Patch compute cluster identity firewall configuration.
PATCH /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>

Create or update compute cluster idfw configuration


Update the compute cluster idfw configuration
PUT /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>

Get IDFW status for a Compute Collection


Get IDFW status for a specific Compute Collection
GET /policy/api/v1/infra/settings/firewall/idfw/compute-collections/<compute-collection-id>/status

List IDFW status for Transport Nodes in a Compute Collection


This API will list all transport node and statuses based on idfw enabled
compute collection ID.
GET /policy/api/v1/infra/settings/firewall/idfw/compute-collections/<compute-collection-id>/transport-nodes/status

Get IDFW status for all Compute Collections


Get IDFW status for all Compute Collections
GET /policy/api/v1/infra/settings/firewall/idfw/compute-collections/status

Get all IDFW Group VM details for a given Group


Get all Identity Firewall Group VM details for a given Group.
GET /policy/api/v1/infra/settings/firewall/idfw/group-vm-details

Read idfw configuration for standalone host


Read identity firewall configuration for standalone host
GET /policy/api/v1/infra/settings/firewall/idfw/standalone-host-switch-setting

Patch idfw configuration for standalone host


Patch identity firewall configuration for standalone host
PATCH /policy/api/v1/infra/settings/firewall/idfw/standalone-host-switch-setting

Create or update idfw configuration for standalone host


Update the idfw configuration for standalone host
PUT /policy/api/v1/infra/settings/firewall/idfw/standalone-host-switch-setting

Get IDFW system statistics data


It will get IDFW system statistics data.
GET /policy/api/v1/infra/settings/firewall/idfw/system-stats

List IDFW status of VMs by transport node id


This API will list all VMs and statuses based on transport node ID of idfw
enabled compute collection.
GET /policy/api/v1/infra/settings/firewall/idfw/transport-nodes/<transport-node-id>/vms/status

Get user session data


It will get user session data.
GET /policy/api/v1/infra/settings/firewall/idfw/user-session-data

Get IDFW user login events for a given user


It will get IDFW user login events for a given user.
GET /policy/api/v1/infra/settings/firewall/idfw/user-stats/<user-id>

Get IDFW user login events for a given VM


It will get IDFW user login events for a given VM
(all active plus up to 5 most recent archived entries).
GET /policy/api/v1/infra/settings/firewall/idfw/vm-stats/<vm-id>

Get the information of import task


Get the information of the latest import task.
GET /policy/api/v1/infra/settings/firewall/import

Invoke import task


Invoke import task. There can be only one import task run at any point of
time. Hence invocation of another import task will be discarded, when there
exist an already running import task.
POST /policy/api/v1/infra/settings/firewall/import

Cancel a running import task


This operation cancels an import task. Task needs to be in running state.
POST /policy/api/v1/infra/settings/firewall/import?action=cancel

Get dfw firewall configuration


Get the current dfw firewall configurations.
GET /policy/api/v1/infra/settings/firewall/security

Update dfw firewall configuration


Update dfw firewall related configurations.
PATCH /policy/api/v1/infra/settings/firewall/security

Update dfw firewall configuration


Update dfw firewall related configurations.
PUT /policy/api/v1/infra/settings/firewall/security

Get the list of distributed firewall dependent services


Get the list of distributed firewall dependent services
GET /policy/api/v1/infra/settings/firewall/security/dependent-services

Read security policy exclude list including system and user excluded members


Read security policy exclude list including system and user excluded members.
GET /policy/api/v1/infra/settings/firewall/security/exclude-list?system_owned=true

Read security policy exclude list


Read exclude list for firewall
GET /policy/api/v1/infra/settings/firewall/security/exclude-list

Patch exclusion list for security policy


Patch exclusion list for security policy.
PATCH /policy/api/v1/infra/settings/firewall/security/exclude-list

Filter the firewall exclude list


Filter the firewall exclude list by the given object, to check whether
the object is a member of this exclude list.
POST /policy/api/v1/infra/settings/firewall/security/exclude-list?action=filter

Create or update exclusion list for security policy


Update the exclusion list for security policy
PUT /policy/api/v1/infra/settings/firewall/security/exclude-list

Reset firewall rule statistics


Sets firewall rule statistics counter to zero. This operation is supported
for given category, for example: DFW i.e. for all layer3 firewall
(transport nodes only) rules or EDGE i.e. for all layer3 edge firewall
(edge nodes only) rules.
- no enforcement point path specified:
On global manager, it is mandatory to give an enforcement point path.
On local manager, reset of stats will be executed for each enforcement point.
- {enforcement_point_path}: Reset of stats will be executed only for the given enforcement point.
POST /policy/api/v1/infra/settings/firewall/stats?action=reset
POST /policy/api/v1/global-infra/settings/firewall/stats?action=reset

Post User Login/Logout events for IDFW


API to receive User Login and Logout events for IDFW
POST /policy/api/v1/system/input/login-logout-events