_create_time |
Timestamp of resource creation |
EpochMsTimestamp |
Readonly Sortable |
_create_user |
ID of the user who created this resource |
string |
Readonly |
_last_modified_time |
Timestamp of last modification |
EpochMsTimestamp |
Readonly Sortable |
_last_modified_user |
ID of the user who last modified this resource |
string |
Readonly |
_links |
References related to this resource
The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink |
Readonly |
_protection |
Indicates protection status of this resource
Protection status is one of the following:
PROTECTED - the client who retrieved the entity is not allowed
to modify it.
NOT_PROTECTED - the client who retrieved the entity is allowed
to modify it
REQUIRE_OVERRIDE - the client who retrieved the entity is a super
user and can modify it, but only when providing
the request header X-Allow-Overwrite=true.
UNKNOWN - the _protection field could not be determined for this
entity.
|
string |
Readonly |
_revision |
Generation of this resource config
The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int |
|
_schema |
Schema for this resource |
string |
Readonly |
_self |
Link to this resource |
SelfResourceLink |
Readonly |
_system_owned |
Indicates system owned resource |
boolean |
Readonly |
category |
A way to classify a security policy, if needed.
- Distributed Firewall -
Policy framework provides five pre-defined categories for classifying
a security policy. They are "Ethernet","Emergency", "Infrastructure"
"Environment" and "Application". There is a pre-determined order in
which the policy framework manages the priority of these security
policies. Ethernet category is for supporting layer 2 firewall rules.
The other four categories are applicable for layer 3 rules. Amongst
them, the Emergency category has the highest priority followed by
Infrastructure, Environment and then Application rules. Administrator
can choose to categorize a security policy into the above categories
or can choose to leave it empty. If empty it will have the least
precedence w.r.t the above four categories.
- Edge Firewall -
Policy Framework for Edge Firewall provides six pre-defined categories
"Emergency", "SystemRules", "SharedPreRules", "LocalGatewayRules",
"AutoServiceRules" and "Default", in order of priority of rules.
All categories are allowed for Gatetway Policies that belong
to 'default' Domain. However, for user created domains, category is
restricted to "SharedPreRules" or "LocalGatewayRules" only. Also, the
users can add/modify/delete rules from only the "SharedPreRules" and
"LocalGatewayRules" categories. If user doesn't specify the category
then defaulted to "Rules". System generated category is used by NSX
created rules, for example BFD rules. Autoplumbed category used by
NSX verticals to autoplumb data path rules. Finally, "Default" category
is the placeholder default rules with lowest in the order of priority.
|
string |
|
children |
subtree for this type within policy tree
subtree for this type within policy tree containing nested elements.
|
array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildForwardingRule |
|
comments |
SecurityPolicy lock/unlock comments
Comments for security policy lock/unlock. |
string |
|
description |
Description of this resource |
string |
Maximum length: 1024 Sortable |
display_name |
Identifier to use when displaying entity in logs or GUI
Defaults to ID if not set |
string |
Maximum length: 255 Sortable |
id |
Unique identifier of this resource |
string |
Sortable |
internal_sequence_number |
Internal sequence number
This field is to indicate the internal sequence number of a policy
with respect to the policies across categories.
|
int |
Readonly |
is_default |
Default policy flag
A flag to indicate whether policy is a default policy. |
boolean |
Readonly |
lock_modified_by |
User who locked the security policy
ID of the user who last modified the lock for the secruity policy.
|
string |
Readonly |
lock_modified_time |
SecuirtyPolicy locked/unlocked time
SecurityPolicy locked/unlocked time in epoch milliseconds. |
EpochMsTimestamp |
Readonly |
locked |
Lock a security policy
Indicates whether a security policy should be locked. If the
security policy is locked by a user, then no other user would
be able to modify this security policy. Once the user releases
the lock, other users can update this security policy.
|
boolean |
Default: "False" |
marked_for_delete |
Indicates whether the intent object is marked for deletion
Intent objects are not directly deleted from the system when a delete
is invoked on them. They are marked for deletion and only when all the
realized entities for that intent object gets deleted, the intent object
is deleted. Objects that are marked for deletion are not returned in
GET call. One can use the search API to get these objects.
|
boolean |
Readonly Default: "False" |
overridden |
Indicates whether this object is the overridden intent object
Global intent objects cannot be modified by the user.
However, certain global intent objects can be overridden locally by use
of this property. In such cases, the overridden local values take
precedence over the globally defined values for the properties.
|
boolean |
Readonly Default: "False" |
parent_path |
Path of its parent
Path of its parent |
string |
Readonly |
path |
Absolute path of this object
Absolute path of this object |
string |
Readonly |
relative_path |
Relative path of this object
Path relative from its parent |
string |
Readonly |
resource_type |
Must be set to the value ForwardingPolicy |
string |
|
rule_count |
Rule count
The count of rules in the policy.
|
int |
Readonly |
rules |
Rules that are a part of this ForwardingPolicy |
array of ForwardingRule |
|
scheduler_path |
Path to the scheduler for time based scheduling
Provides a mechanism to apply the rules in this policy for a specified
time duration.
|
string |
|
scope |
The list of group paths where the rules in this policy will get
applied. This scope will take precedence over rule level scope.
Supported only for security and redirection policies. In case of
RedirectionPolicy, it is expected only when the policy is NS and
redirecting to service chain.
|
array of string |
Maximum items: 128 |
sequence_number |
Sequence number to resolve conflicts across Domains
This field is used to resolve conflicts between security policies
across domains. In order to change the sequence number of a policy
one can fire a POST request on the policy entity with
a query parameter action=revise
The sequence number field will reflect the value of the computed
sequence number upon execution of the above mentioned POST request.
For scenarios where the administrator is using a template to update
several security policies, the only way to set the sequence number is
to explicitly specify the sequence number for each security policy.
If no sequence number is specified in the payload, a value of 0 is
assigned by default. If there are multiple policies with the same
sequence number then their order is not deterministic. If a specific
order of policies is desired, then one has to specify unique sequence
numbers or use the POST request on the policy entity with
a query parameter action=revise to let the framework assign a
sequence number.
The value of sequence number must be between 0 and 999,999.
|
int |
Minimum: 0 |
stateful |
Stateful nature of the entries within this security policy.
Stateful or Stateless nature of security policy is enforced on all
rules in this security policy. When it is stateful, the state of
the network connects are tracked and a stateful packet inspection is
performed.
Layer3 security policies can be stateful or stateless. By default, they are stateful.
Layer2 security policies can only be stateless.
|
boolean |
|
tags |
Opaque identifiers meaningful to the API user |
array of Tag |
Maximum items: 30 |
tcp_strict |
Enforce strict tcp handshake before allowing data packets
Ensures that a 3 way TCP handshake is done before the data packets
are sent.
tcp_strict=true is supported only for stateful security policies.
If the tcp_strict flag is not specified and the security policy
is stateful, then tcp_strict will be set to true.
|
boolean |
|
unique_id |
A unique identifier assigned by the system
This is a UUID generated by the GM/LM to uniquely identify
entites in a federated environment. For entities that are
stretched across multiple sites, the same ID will be used
on all the stretched sites.
|
string |
Readonly |