| API Description | API Path |
|---|---|
List policy draftsList policy drafts. |
GET /policy/api/v1/infra/drafts
|
Delete a manual draftDelete a manual draft. |
DELETE /policy/api/v1/infra/drafts/<draft-id>
|
Read draftRead a draft for a given draft identifier. |
GET /policy/api/v1/infra/drafts/<draft-id>
|
Patch a manual draftCreate a new manual draft if the specified draft id does not correspond to an existing draft. Update the manual draft otherwise. Auto draft can not be updated. |
PATCH /policy/api/v1/infra/drafts/<draft-id>
|
Publish a draftRead a draft and publish it by applying changes onto current configuration. If there are additional changes on top of draft configuration, pass it as a request body, in form of Infra object. Otherwise, if there are no additional changes, then pass empty Infra object as a request body. |
POST /policy/api/v1/infra/drafts/<draft-id>?action=publish
|
Create or update a manual draftCreate a new manual draft if the specified draft id does not correspond to an existing draft. Update the manual draft otherwise. Auto draft can not be updated. |
PUT /policy/api/v1/infra/drafts/<draft-id>
|
Get an aggregated configuration for the draftGet an aggregated configuration that will get applied onto current configuration during publish of this draft. The response is a hierarchical payload containing the aggregated configuration differences from the latest auto draft till the specified draft. |
GET /policy/api/v1/infra/drafts/<draft-id>/aggregated
|
Get paginated aggregated configuration for the draftGet a paginated aggregated configuration of a given draft. This aggregated configuration is the differnece between the current published firewall configuration and a firewall configuration stored in a given draft. For an initial API call, if request_id is present in a response, then this is a paginated aggregated configuration of a given draft, containing all the security policies from the aggregated configuration. Using this request_id, more granular aggregated configuration, at security policy level, can be fetched from subsequent API calls. Absence of request_id suggests that whole aggregated configuration has been returned as a response to initial API call, as the size of aggregated configuration is not big enough to need pagination. |
GET /policy/api/v1/infra/drafts/<draft-id>/aggregated_with_pagination
|
Get a preview of a configuration after publish of a draftGet a preview of a configuration which will be present after publish of a specified draft. The response essentially is a hierarchical payload containing the configuration, which will be in active after a specified draft gets published onto current configuration. |
GET /policy/api/v1/infra/drafts/<draft-id>/complete
|
Test a directory domain event log server connectivityThis API tests a event log server connectivity before the actual domain or event log server is configured. If the connectivity is good, the response will be HTTP status 200. Otherwise the response will be HTTP status 200 and a corresponding error message will be returned. |
POST /policy/api/v1/infra/firewall-identity-store-event-log-servers/status
|
Test a directory domain LDAP server connectivityThis API tests a LDAP server connectivity before the actual domain or LDAP server is configured. If the connectivity is good, the response will be HTTP status 200. Otherwise the response will be HTTP status 500 and corresponding error message will be returned. |
POST /policy/api/v1/infra/firewall-identity-store-ldap-server
|
Scan the size of a directory domainThis call scans the size of a directory domain. It may be very | expensive to run this call in some AD domain deployments. Please | use it with caution. |
POST /policy/api/v1/infra/firewall-identity-store-size
|
List all firewall identity storesList all firewall identity stores |
GET /policy/api/v1/infra/firewall-identity-stores
|
Fetch all organization units for a LDAP server. |
POST /policy/api/v1/infra/firewall-identity-stores-org-units
|
Delete firewall identity storeIf the firewall identity store is removed, it will stop the identity store synchronization. User will not be able to define new IDFW rules |
DELETE /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>
|
Read firewall identity storeReturn a firewall identity store based on the store identifier |
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>
|
Create or update a firewall identity storeIf a firewall identity store with the firewall-identity-store-id is not already present, create a new firewall identity store. If it already exists, update the firewall identity store with specified attributes. |
PATCH /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>
|
Invoke full sync or delta sync for a specific domain, with additional delay in seconds if needed. Stop sync will try to stop any pending sync if any to return to idle state. |
POST /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>
|
Create or update a firewall identity storeIf a firewall identity store with the firewall-identity-store-id is not already present, create a new firewall identity store. If it already exists, replace the firewall identity store instance with the new object. |
PUT /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>
|
Delete a Event Log server for Firewall Identity store |
DELETE /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/event-log-servers/<event-log-server-id>
|
Get a specific Event Log server for a given Firewall Identity store |
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/event-log-servers/<event-log-server-id>
|
Update a event log server for Firewall Identity store |
PUT /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/event-log-servers/<event-log-server-id>
|
Search for directory groups within a domain based on the substring of a distinguished name. (e.g. CN=User,DC=acme,DC=com) The search filter pattern can optionally support multiple (up to 100 maximum) search pattern separated by '|' (url encoded %7C). In this case, the search results will be returned as the union of all matching criteria. (e.g. CN=Ann,CN=Users,DC=acme,DC=com|CN=Bob,CN=Users,DC=acme,DC=com) |
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/groups
|
List members of a directory groupA member group could be either direct member of the group specified by group_id or nested member of it. Both direct member groups and nested member groups are returned. Directory group member sync must be enabled to get the correct results. |
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/groups/<group-id>/member-groups
|
List all configured domain LDAP servers |
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers
|
Delete a LDAP server for Firewall Identity store |
DELETE /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>
|
Get a specific LDAP server for a given Firewall Identity store |
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>
|
Create a LDAP server for Firewall Identity storeMore than one LDAP server can be created and only one LDAP server is used to synchronize directory objects. If more than one LDAP server is configured, NSX will try all the servers until it is able to successfully connect to one. |
PATCH /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>
|
Test a LDAP server connection for directory domainThe API tests a LDAP server connection for an already configured domain. If the connection is successful, the response will be HTTP status 200. Otherwise the response will be HTTP status 500 and corresponding error message will be returned. |
POST /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>
|
Update a LDAP server for Firewall Identity store |
PUT /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/ldap-servers/<ldap-server-id>
|
Fetch all organization units for a Firewall Identity Store. |
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/org-units
|
Get Firewall identity store sync statistics for the given identifier |
GET /policy/api/v1/infra/firewall-identity-stores/<firewall-identity-store-id>/sync-stats
|
Get PolicyFirewallSchedulersGet all PolicyFirewallSchedulers |
GET /policy/api/v1/infra/firewall-schedulers
|
Delete Policy Firewall SchedulerDeletes the specified PolicyFirewallScheduler. If scheduler is consumed in a security policy, it won't get deleted. |
DELETE /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>
|
Get PolicyFirewallSchedulerGet a PolicyFirewallScheduler by id |
GET /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>
|
Create or Update PolicyFirewallSchedulerCreates/Updates a PolicyFirewallScheduler, which can be set at security policy. Note that at least one property out of "days", "start_date", "time_interval", "end_date" is required if "recurring" field is true. Also "start_time" and "end_time" should not be present. And if "recurring" field is false then "start_date" and "end_date" is mandatory, "start_time" and "end_time" is optional. Also the fields "days" and "time_interval" should not be present. |
PATCH /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>
|
Create or Update PolicyFirewallSchedulerUpdates a PolicyFirewallScheduler, which can be set at security policy. Note that at least one property out of "days", "start_date", "time_interval", "end_date" is required if "recurring" field is true. Also "start_time" and "end_time" should not be present. And if "recurring" field is false then "start_date" and "end_date" is mandatory, "start_time" and "end_time" is optional. Also the fields "days" and "time_interval" should not be present. |
PUT /policy/api/v1/infra/firewall-schedulers/<firewall-scheduler-id>
|
List compute cluster idfw ConfigurationAPI will list all compute cluster wise identity firewall configuration |
GET /policy/api/v1/infra/settings/firewall/idfw/cluster
|
Delete compute cluster idfw configurationDelete compute cluster identity firewall configuration. |
DELETE /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>
|
Read compute cluster idfw configurationRead compute cluster identity firewall configuration |
GET /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>
|
Patch compute cluster idfw configurationPatch compute cluster identity firewall configuration. |
PATCH /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>
|
Create or update compute cluster idfw configurationUpdate the compute cluster idfw configuration |
PUT /policy/api/v1/infra/settings/firewall/idfw/cluster/<cluster-id>
|
Get IDFW status for a Compute CollectionGet IDFW status for a specific Compute Collection |
GET /policy/api/v1/infra/settings/firewall/idfw/compute-collections/<compute-collection-id>/status
|
List IDFW status for Transport Nodes in a Compute CollectionThis API will list all transport node and statuses based on idfw enabled compute collection ID. |
GET /policy/api/v1/infra/settings/firewall/idfw/compute-collections/<compute-collection-id>/transport-nodes/status
|
Get IDFW status for all Compute CollectionsGet IDFW status for all Compute Collections |
GET /policy/api/v1/infra/settings/firewall/idfw/compute-collections/status
|
Get all IDFW Group VM details for a given GroupGet all Identity Firewall Group VM details for a given Group. |
GET /policy/api/v1/infra/settings/firewall/idfw/group-vm-details
|
Read idfw configuration for standalone hostRead identity firewall configuration for standalone host |
GET /policy/api/v1/infra/settings/firewall/idfw/standalone-host-switch-setting
|
Patch idfw configuration for standalone hostPatch identity firewall configuration for standalone host |
PATCH /policy/api/v1/infra/settings/firewall/idfw/standalone-host-switch-setting
|
Create or update idfw configuration for standalone hostUpdate the idfw configuration for standalone host |
PUT /policy/api/v1/infra/settings/firewall/idfw/standalone-host-switch-setting
|
Get IDFW system statistics dataIt will get IDFW system statistics data. |
GET /policy/api/v1/infra/settings/firewall/idfw/system-stats
|
List IDFW status of VMs by transport node idThis API will list all VMs and statuses based on transport node ID of idfw enabled compute collection. |
GET /policy/api/v1/infra/settings/firewall/idfw/transport-nodes/<transport-node-id>/vms/status
|
Get user session dataIt will get user session data. |
GET /policy/api/v1/infra/settings/firewall/idfw/user-session-data
|
Get IDFW user login events for a given userIt will get IDFW user login events for a given user. |
GET /policy/api/v1/infra/settings/firewall/idfw/user-stats/<user-id>
|
Get IDFW user login events for a given VMIt will get IDFW user login events for a given VM (all active plus up to 5 most recent archived entries). |
GET /policy/api/v1/infra/settings/firewall/idfw/vm-stats/<vm-id>
|
Get dfw firewall configurationGet the current dfw firewall configurations. |
GET /policy/api/v1/infra/settings/firewall/security
|
Update dfw firewall configurationUpdate dfw firewall related configurations. |
PATCH /policy/api/v1/infra/settings/firewall/security
|
Update dfw firewall configurationUpdate dfw firewall related configurations. |
PUT /policy/api/v1/infra/settings/firewall/security
|
Get the list of distributed firewall dependent servicesGet the list of distributed firewall dependent services |
GET /policy/api/v1/infra/settings/firewall/security/dependent-services
|
Read security policy exclude list including system and user excluded membersRead security policy exclude list including system and user excluded members. |
GET /policy/api/v1/infra/settings/firewall/security/exclude-list?system_owned=true
|
Read security policy exclude listRead exclude list for firewall |
GET /policy/api/v1/infra/settings/firewall/security/exclude-list
|
Patch exclusion list for security policyPatch exclusion list for security policy. |
PATCH /policy/api/v1/infra/settings/firewall/security/exclude-list
|
Filter the firewall exclude listFilter the firewall exclude list by the given object, to check whether the object is a member of this exclude list. |
POST /policy/api/v1/infra/settings/firewall/security/exclude-list?action=filter
|
Create or update exclusion list for security policyUpdate the exclusion list for security policy |
PUT /policy/api/v1/infra/settings/firewall/security/exclude-list
|
Post User Login/Logout events for IDFWAPI to receive User Login and Logout events for IDFW |
POST /policy/api/v1/system/input/login-logout-events
|