Rule (schema)

A rule specifies the security policy rule between the workload groups

A rule indicates the action to be performed for various types of traffic flowing between workload groups.
Name Description Type Notes
_create_time Timestamp of resource creation EpochMsTimestamp Readonly
Sortable
_create_user ID of the user who created this resource string Readonly
_last_modified_time Timestamp of last modification EpochMsTimestamp Readonly
Sortable
_last_modified_user ID of the user who last modified this resource string Readonly
_links References related to this resource

The server will populate this field when returing the resource. Ignored on PUT and POST.
array of ResourceLink Readonly
_protection Indicates protection status of this resource

Protection status is one of the following:
PROTECTED - the client who retrieved the entity is not allowed
to modify it.
NOT_PROTECTED - the client who retrieved the entity is allowed
to modify it
REQUIRE_OVERRIDE - the client who retrieved the entity is a super
user and can modify it, but only when providing
the request header X-Allow-Overwrite=true.
UNKNOWN - the _protection field could not be determined for this
entity.
string Readonly
_revision Generation of this resource config

The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.
int
_schema Schema for this resource string Readonly
_self Link to this resource SelfResourceLink Readonly
_system_owned Indicates system owned resource boolean Readonly
action Action

The action to be applied to all the services
The JUMP_TO_APPLICATION action is only supported for rules created in the
Environment category. Once a match is hit then the rule processing
will jump to the rules present in the Application category, skipping
all further rules in the Environment category. If no rules match in
the Application category then the default application rule will be hit.
This is applicable only for DFW.
string Enum: ALLOW, DROP, REJECT, JUMP_TO_APPLICATION
children subtree for this type within policy tree

subtree for this type within policy tree containing nested elements.
array of ChildPolicyConfigResource
Children are not allowed for this type
description Description of this resource string Maximum length: 1024
Sortable
destination_groups Destination group paths

We need paths as duplicate names may exist for groups under different
domains. Along with paths we support IP Address of type IPv4 and IPv6.
IP Address can be in one of the format(CIDR, IP Address, Range of IP Address).
In order to specify all groups, use the constant "ANY". This
is case insensitive. If "ANY" is used, it should be the ONLY element
in the group array. Error will be thrown if ANY is used in conjunction
with other values.
array of string Maximum items: 128
destinations_excluded Negation of destination groups

If set to true, the rule gets applied on all the groups that are
NOT part of the destination groups. If false, the rule applies to the
destination groups
boolean Default: "False"
direction Direction

Define direction of traffic.
string Enum: IN, OUT, IN_OUT
Default: "IN_OUT"
disabled Flag to disable the rule

Flag to disable the rule. Default is enabled.
boolean Default: "False"
display_name Identifier to use when displaying entity in logs or GUI

Defaults to ID if not set
string Maximum length: 255
Sortable
id Unique identifier of this resource string Sortable
ip_protocol IPv4 vs IPv6 packet type

Type of IP packet that should be matched while enforcing the rule.
The value is set to IPV4_IPV6 for Layer3 rule if not specified.
For Layer2/Ether rule the value must be null.
string Enum: IPV4, IPV6, IPV4_IPV6
is_default Default rule flag

A flag to indicate whether rule is a default rule.
boolean Readonly
logged Enable logging flag

Flag to enable packet logging. Default is disabled.
boolean Default: "False"
marked_for_delete Indicates whether the intent object is marked for deletion

Intent objects are not directly deleted from the system when a delete
is invoked on them. They are marked for deletion and only when all the
realized entities for that intent object gets deleted, the intent object
is deleted. Objects that are marked for deletion are not returned in
GET call. One can use the search API to get these objects.
boolean Readonly
Default: "False"
notes Text for additional notes on changes

Text for additional notes on changes.
string Maximum length: 2048
overridden Indicates whether this object is the overridden intent object

Global intent objects cannot be modified by the user.
However, certain global intent objects can be overridden locally by use
of this property. In such cases, the overridden local values take
precedence over the globally defined values for the properties.
boolean Readonly
Default: "False"
parent_path Path of its parent

Path of its parent
string Readonly
path Absolute path of this object

Absolute path of this object
string Readonly
profiles Layer 7 service profiles

Holds the list of layer 7 service profile paths. These profiles accept
attributes and sub-attributes of various network services
(e.g. L4 AppId, encryption algorithm, domain name, etc) as key value
pairs.
array of string Maximum items: 128
relative_path Relative path of this object

Path relative from its parent
string Readonly
resource_type Must be set to the value Rule string
rule_id Unique rule ID

This is a unique 4 byte positive number that is assigned by the system.
This rule id is passed all the way down to the data path. The first 1GB
(1000 to 2^30) will be shared by GM and LM with zebra style striped
number space. For E.g 1000 to (1Million -1) by LM, (1M - 2M-1) by GM
and so on.
integer Readonly
scope The list of policy paths where the rule is applied
LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied
on multiple LRs/LRPs.
array of string Maximum items: 128
sequence_number Sequence number of the this Rule

This field is used to resolve conflicts between multiple
Rules under Security or Gateway Policy for a Domain
If no sequence number is specified in the payload, a value of 0 is
assigned by default. If there are multiple rules with the same
sequence number then their order is not deterministic. If a specific
order of rules is desired, then one has to specify unique sequence
numbers or use the POST request on the rule entity with
a query parameter action=revise to let the framework assign a
sequence number
int Minimum: 0
service_entries Raw services

In order to specify raw services this can be used,
along with services which contains path to services.
This can be empty or null.
array of ServiceEntry
(Abstract type: pass one of the following concrete types)
ALGTypeServiceEntry
EtherTypeServiceEntry
ICMPTypeServiceEntry
IGMPTypeServiceEntry
IPProtocolServiceEntry
L4PortSetServiceEntry
NestedServiceServiceEntry
Maximum items: 128
services Names of services

In order to specify all services, use the constant "ANY".
This is case insensitive. If "ANY" is used, it should
be the ONLY element in the services array. Error will be thrown
if ANY is used in conjunction with other values.
array of string Maximum items: 128
source_groups Source group paths

We need paths as duplicate names may exist for groups under different
domains. Along with paths we support IP Address of type IPv4 and IPv6.
IP Address can be in one of the format(CIDR, IP Address, Range of IP Address).
In order to specify all groups, use the constant "ANY". This
is case insensitive. If "ANY" is used, it should be the ONLY element
in the group array. Error will be thrown if ANY is used in conjunction
with other values.
array of string Maximum items: 128
sources_excluded Negation of source groups

If set to true, the rule gets applied on all the groups that are
NOT part of the source groups. If false, the rule applies to the
source groups
boolean Default: "False"
tag Tag applied on the rule

User level field which will be printed in CLI and packet logs.
string
tags Opaque identifiers meaningful to the API user array of Tag Maximum items: 30
unique_id A unique identifier assigned by the system

This is a UUID generated by the GM/LM to uniquely identify
entites in a federated environment. For entities that are
stretched across multiple sites, the same ID will be used
on all the stretched sites.
string Readonly