ForwardingRule (schema)

Forwarding rule

Forwarding rule that determine how to forward traffic from a VM.
Traffic from VM can either be routed via Overlay or Underlay when VM is on hybrid port.
Additionally NAT can be performed for VM or container on overlay to route traffic to/from underlay
ROUTE_TO_UNDERLAY - Access a service on underlay space from a VM connected to hybrid port. Eg access to AWS S3 on AWS underlay
ROUTE_TO_OVERLAY - Access a service on overlay space from a VM connected to hybrid port.
ROUTE_FROM_UNDERLAY - Access a service hosted on a VM (that is connected to hybrid port) from underlay space. Eg access from AWS ELB to VM
ROUTE_FROM_OVERLAY - Access a service hosted on a VM (that is connected to hybrid port) from overlay space
NAT_FROM_UNDERLAY - Access a service on overlay VM/container from underlay space using DNAT from underlay IP to overlay IP
NAT_TO_UNDERLAY - Access an underlay service from a VM/container on overlay space using SNAT from overlay IP to underlay IP

Name Description Type Notes

_create_time Timestamp of resource creation EpochMsTimestamp Readonly
Sortable

_create_user ID of the user who created this resource string Readonly

_last_modified_time Timestamp of last modification EpochMsTimestamp Readonly
Sortable

_last_modified_user ID of the user who last modified this resource string Readonly

_links References related to this resource

The server will populate this field when returing the resource. Ignored on PUT and POST. array of ResourceLink Readonly

_protection Indicates protection status of this resource

Protection status is one of the following:
PROTECTED - the client who retrieved the entity is not allowed
to modify it.
NOT_PROTECTED - the client who retrieved the entity is allowed
to modify it
REQUIRE_OVERRIDE - the client who retrieved the entity is a super
user and can modify it, but only when providing
the request header X-Allow-Overwrite=true.
UNKNOWN - the _protection field could not be determined for this
entity.
string Readonly

_revision Generation of this resource config

The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. int

_schema Schema for this resource string Readonly

_self Link to this resource SelfResourceLink Readonly

_system_owned Indicates system owned resource boolean Readonly

action Action

The action to be applied to all the services
string Enum: ROUTE_TO_UNDERLAY, ROUTE_TO_OVERLAY, ROUTE_FROM_UNDERLAY, ROUTE_FROM_OVERLAY, NAT_FROM_UNDERLAY, NAT_TO_UNDERLAY

children subtree for this type within policy tree

subtree for this type within policy tree containing nested elements.
array of ChildPolicyConfigResource
(Abstract type: pass one of the following concrete types)
ChildBgpNeighborConfig
ChildBgpRoutingConfig
ChildByodPolicyServiceInstance
ChildCommunicationEntry
ChildCommunicationMap
ChildCommunityList
ChildComputeClusterIdfwConfiguration
ChildConstraint
ChildDeploymentZone
ChildDfwFirewallConfiguration
ChildDhcpRelayConfig
ChildDhcpServerConfig
ChildDomain
ChildDomainDeploymentMap
ChildEndpointPolicy
ChildEndpointRule
ChildEnforcementPoint
ChildFloodProtectionProfile
ChildFloodProtectionProfileBindingMap
ChildForwardingPolicy
ChildForwardingRule
ChildGatewayPolicy
ChildGroup
ChildGroupMonitoringProfileBindingMap
ChildIPDiscoveryProfile
ChildIPFIXDFWCollectorProfile
ChildIPFIXDFWProfile
ChildIPFIXL2CollectorProfile
ChildIPFIXL2Profile
ChildIPSecVpnDpdProfile
ChildIPSecVpnIkeProfile
ChildIPSecVpnLocalEndpoint
ChildIPSecVpnService
ChildIPSecVpnSession
ChildIPSecVpnTunnelProfile
ChildIpAddressAllocation
ChildIpAddressBlock
ChildIpAddressPool
ChildIpAddressPoolSubnet
ChildL2VPNService
ChildL2VPNSession
ChildL2Vpn
ChildL2VpnContext
ChildL3Vpn
ChildL3VpnContext
ChildLBAppProfile
ChildLBClientSslProfile
ChildLBMonitorProfile
ChildLBPersistenceProfile
ChildLBPool
ChildLBServerSslProfile
ChildLBService
ChildLBVirtualServer
ChildLocaleServices
ChildMacDiscoveryProfile
ChildPolicyContextProfile
ChildPolicyDnsForwarder
ChildPolicyDnsForwarderZone
ChildPolicyEdgeCluster
ChildPolicyEdgeNode
ChildPolicyExcludeList
ChildPolicyFirewallSessionTimerProfile
ChildPolicyLabel
ChildPolicyLbMonitorProfile
ChildPolicyLbPersistenceProfile
ChildPolicyLbPoolAccess
ChildPolicyLbRule
ChildPolicyLbVirtualServer
ChildPolicyNat
ChildPolicyNatRule
ChildPolicyServiceChain
ChildPolicyServiceInstance
ChildPolicyServiceProfile
ChildPolicyTransportZone
ChildPortDiscoveryProfileBindingMap
ChildPortMirroringProfile
ChildPortMonitoringProfileBindingMap
ChildPortQoSProfileBindingMap
ChildPortSecurityProfileBindingMap
ChildPrefixList
ChildQoSProfile
ChildRedirectionPolicy
ChildRedirectionRule
ChildRule
ChildSecurityPolicy
ChildSegment
ChildSegmentDiscoveryProfileBindingMap
ChildSegmentMonitoringProfileBindingMap
ChildSegmentPort
ChildSegmentQoSProfileBindingMap
ChildSegmentSecurityProfile
ChildSegmentSecurityProfileBindingMap
ChildService
ChildServiceEntry
ChildServiceInstanceEndpoint
ChildServiceInterface
ChildServiceReference
ChildServiceSegment
ChildSessionTimerProfileBindingMap
ChildSite
ChildSpoofGuardProfile
ChildSslTrustObjectData
ChildStandaloneHostIdfwConfiguration
ChildStaticARPConfig
ChildStaticRoutes
ChildTier0
ChildTier0DeploymentMap
ChildTier0Interface
ChildTier0RouteMap
ChildTier1
ChildTier1DeploymentMap
ChildTier1Interface
ChildTlsCertificate
ChildTlsCrl
ChildTlsTrustData
ChildVirtualEndpoint

description Description of this resource string Maximum length: 1024
Sortable

destination_groups Destination group paths

We need paths as duplicate names may exist for groups under different
domains.In order to specify all groups, use the constant "ANY". This
is case insensitive. If "ANY" is used, it should be the ONLY element
in the group array. Error will be thrown if ANY is used in conjunction
with other values.
array of string Maximum items: 128

destinations_excluded Negation of destination groups

If set to true, the rule gets applied on all the groups that are
NOT part of the destination groups. If false, the rule applies to the
destination groups
boolean Default: "False"

direction Direction

Define direction of traffic.
string Enum: IN, OUT, IN_OUT
Default: "IN_OUT"

disabled Flag to disable the rule

Flag to disable the rule. Default is enabled. boolean Default: "False"

display_name Identifier to use when displaying entity in logs or GUI

Defaults to ID if not set string Maximum length: 255
Sortable

id Unique identifier of this resource string Sortable

ip_protocol IPv4 vs IPv6 packet type

Type of IP packet that should be matched while enforcing the rule.
The value is set to IPV4_IPV6 for Layer3 rule if not specified.
For Layer2/Ether rule the value must be null.
string Enum: IPV4, IPV6, IPV4_IPV6

logged Enable logging flag

Flag to enable packet logging. Default is disabled. boolean Default: "False"

marked_for_delete Indicates whether the intent object is marked for deletion

Intent objects are not directly deleted from the system when a delete
is invoked on them. They are marked for deletion and only when all the
realized entities for that intent object gets deleted, the intent object
is deleted. Objects that are marked for deletion are not returned in
GET call. One can use the search API to get these objects.
boolean Readonly
Default: "False"

notes Text for additional notes on changes

Text for additional notes on changes. string Maximum length: 2048

parent_path Path of its parent

Path of its parent string Readonly

path Absolute path of this object

Absolute path of this object string Readonly

profiles Layer 7 service profiles

Holds the list of layer 7 service profile paths. These profiles accept
attributes and sub-attributes of various network services
(e.g. L4 AppId, encryption algorithm, domain name, etc) as key value
pairs.
array of string Maximum items: 128

relative_path Relative path of this object

Path relative from its parent string Readonly

resource_type Must be set to the value ForwardingRule string

scope The list of policy paths where the rule is applied
LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied
on multiple LRs/LRPs.
array of string Maximum items: 128

sequence_number Sequence number of the this Rule

This field is used to resolve conflicts between multiple
Rules under Security or Gateway Policy for a Domain
If no sequence number is specified in the payload, a value of 0 is
assigned by default. If there are multiple rules with the same
sequence number then their order is not deterministic. If a specific
order of rules is desired, then one has to specify unique sequence
numbers or use the POST request on the rule entity with
a query parameter action=revise to let the framework assign a
sequence number
int Minimum: 0

services Names of services

In order to specify all services, use the constant "ANY".
This is case insensitive. If "ANY" is used, it should
be the ONLY element in the services array. Error will be thrown
if ANY is used in conjunction with other values.
array of string Maximum items: 128

source_groups Source group paths

We need paths as duplicate names may exist for groups under different
domains. In order to specify all groups, use the constant "ANY". This
is case insensitive. If "ANY" is used, it should be the ONLY element
in the group array. Error will be thrown if ANY is used in conjunction
with other values.
array of string Maximum items: 128

sources_excluded Negation of source groups

If set to true, the rule gets applied on all the groups that are
NOT part of the source groups. If false, the rule applies to the
source groups
boolean Default: "False"

tag Tag applied on the rule

User level field which will be printed in CLI and packet logs.
string

tags Opaque identifiers meaningful to the API user array of Tag Maximum items: 30

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
action	Action The action to be applied to all the services	string	Enum: ROUTE_TO_UNDERLAY, ROUTE_TO_OVERLAY, ROUTE_FROM_UNDERLAY, ROUTE_FROM_OVERLAY, NAT_FROM_UNDERLAY, NAT_TO_UNDERLAY
children	subtree for this type within policy tree subtree for this type within policy tree containing nested elements.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildBgpNeighborConfig ChildBgpRoutingConfig ChildByodPolicyServiceInstance ChildCommunicationEntry ChildCommunicationMap ChildCommunityList ChildComputeClusterIdfwConfiguration ChildConstraint ChildDeploymentZone ChildDfwFirewallConfiguration ChildDhcpRelayConfig ChildDhcpServerConfig ChildDomain ChildDomainDeploymentMap ChildEndpointPolicy ChildEndpointRule ChildEnforcementPoint ChildFloodProtectionProfile ChildFloodProtectionProfileBindingMap ChildForwardingPolicy ChildForwardingRule ChildGatewayPolicy ChildGroup ChildGroupMonitoringProfileBindingMap ChildIPDiscoveryProfile ChildIPFIXDFWCollectorProfile ChildIPFIXDFWProfile ChildIPFIXL2CollectorProfile ChildIPFIXL2Profile ChildIPSecVpnDpdProfile ChildIPSecVpnIkeProfile ChildIPSecVpnLocalEndpoint ChildIPSecVpnService ChildIPSecVpnSession ChildIPSecVpnTunnelProfile ChildIpAddressAllocation ChildIpAddressBlock ChildIpAddressPool ChildIpAddressPoolSubnet ChildL2VPNService ChildL2VPNSession ChildL2Vpn ChildL2VpnContext ChildL3Vpn ChildL3VpnContext ChildLBAppProfile ChildLBClientSslProfile ChildLBMonitorProfile ChildLBPersistenceProfile ChildLBPool ChildLBServerSslProfile ChildLBService ChildLBVirtualServer ChildLocaleServices ChildMacDiscoveryProfile ChildPolicyContextProfile ChildPolicyDnsForwarder ChildPolicyDnsForwarderZone ChildPolicyEdgeCluster ChildPolicyEdgeNode ChildPolicyExcludeList ChildPolicyFirewallSessionTimerProfile ChildPolicyLabel ChildPolicyLbMonitorProfile ChildPolicyLbPersistenceProfile ChildPolicyLbPoolAccess ChildPolicyLbRule ChildPolicyLbVirtualServer ChildPolicyNat ChildPolicyNatRule ChildPolicyServiceChain ChildPolicyServiceInstance ChildPolicyServiceProfile ChildPolicyTransportZone ChildPortDiscoveryProfileBindingMap ChildPortMirroringProfile ChildPortMonitoringProfileBindingMap ChildPortQoSProfileBindingMap ChildPortSecurityProfileBindingMap ChildPrefixList ChildQoSProfile ChildRedirectionPolicy ChildRedirectionRule ChildRule ChildSecurityPolicy ChildSegment ChildSegmentDiscoveryProfileBindingMap ChildSegmentMonitoringProfileBindingMap ChildSegmentPort ChildSegmentQoSProfileBindingMap ChildSegmentSecurityProfile ChildSegmentSecurityProfileBindingMap ChildService ChildServiceEntry ChildServiceInstanceEndpoint ChildServiceInterface ChildServiceReference ChildServiceSegment ChildSessionTimerProfileBindingMap ChildSite ChildSpoofGuardProfile ChildSslTrustObjectData ChildStandaloneHostIdfwConfiguration ChildStaticARPConfig ChildStaticRoutes ChildTier0 ChildTier0DeploymentMap ChildTier0Interface ChildTier0RouteMap ChildTier1 ChildTier1DeploymentMap ChildTier1Interface ChildTlsCertificate ChildTlsCrl ChildTlsTrustData ChildVirtualEndpoint
description	Description of this resource	string	Maximum length: 1024 Sortable
destination_groups	Destination group paths We need paths as duplicate names may exist for groups under different domains.In order to specify all groups, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values.	array of string	Maximum items: 128
destinations_excluded	Negation of destination groups If set to true, the rule gets applied on all the groups that are NOT part of the destination groups. If false, the rule applies to the destination groups	boolean	Default: "False"
direction	Direction Define direction of traffic.	string	Enum: IN, OUT, IN_OUT Default: "IN_OUT"
disabled	Flag to disable the rule Flag to disable the rule. Default is enabled.	boolean	Default: "False"
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
ip_protocol	IPv4 vs IPv6 packet type Type of IP packet that should be matched while enforcing the rule. The value is set to IPV4_IPV6 for Layer3 rule if not specified. For Layer2/Ether rule the value must be null.	string	Enum: IPV4, IPV6, IPV4_IPV6
logged	Enable logging flag Flag to enable packet logging. Default is disabled.	boolean	Default: "False"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object gets deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
notes	Text for additional notes on changes Text for additional notes on changes.	string	Maximum length: 2048
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
profiles	Layer 7 service profiles Holds the list of layer 7 service profile paths. These profiles accept attributes and sub-attributes of various network services (e.g. L4 AppId, encryption algorithm, domain name, etc) as key value pairs.	array of string	Maximum items: 128
relative_path	Relative path of this object Path relative from its parent	string	Readonly
resource_type	Must be set to the value ForwardingRule	string
scope	The list of policy paths where the rule is applied LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied on multiple LRs/LRPs.	array of string	Maximum items: 128
sequence_number	Sequence number of the this Rule This field is used to resolve conflicts between multiple Rules under Security or Gateway Policy for a Domain If no sequence number is specified in the payload, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic. If a specific order of rules is desired, then one has to specify unique sequence numbers or use the POST request on the rule entity with a query parameter action=revise to let the framework assign a sequence number	int	Minimum: 0
services	Names of services In order to specify all services, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the services array. Error will be thrown if ANY is used in conjunction with other values.	array of string	Maximum items: 128
source_groups	Source group paths We need paths as duplicate names may exist for groups under different domains. In order to specify all groups, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values.	array of string	Maximum items: 128
sources_excluded	Negation of source groups If set to true, the rule gets applied on all the groups that are NOT part of the source groups. If false, the rule applies to the source groups	boolean	Default: "False"
tag	Tag applied on the rule User level field which will be printed in CLI and packet logs.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30