NSX-T Data Center Global Manager REST API
BaseRule (schema)
A rule represent base properties for ,dfw, forwarding, redirection rule
A rule indicates the action to be performed for various types of traffic flowing between workload groups.
| Name | Description | Type | Notes |
|---|---|---|---|
| _create_time | Timestamp of resource creation | EpochMsTimestamp | Readonly Sortable |
| _create_user | ID of the user who created this resource | string | Readonly |
| _last_modified_time | Timestamp of last modification | EpochMsTimestamp | Readonly Sortable |
| _last_modified_user | ID of the user who last modified this resource | string | Readonly |
| _links | References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink | Readonly |
| _protection | Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity. |
string | Readonly |
| _revision | Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int | |
| _schema | Schema for this resource | string | Readonly |
| _self | Link to this resource | SelfResourceLink | Readonly |
| _system_owned | Indicates system owned resource | boolean | Readonly |
| children | Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only. |
array of ChildPolicyConfigResource Children are not allowed for this type |
|
| description | Description of this resource | string | Maximum length: 1024 Sortable |
| destination_groups | Destination group paths Specifies the destinations to match for this rule. This field accepts Group paths (e.g., "/infra/domains/default/groups/db-vms") or direct IP addresses. Group paths reference Group objects that define collections of workloads. IP addresses can be specified in CIDR notation, as individual addresses, or as ranges. Use the constant "ANY" to match all destinations. "ANY" is case insensitive and must be the ONLY element in the array if used. An error will be thrown if "ANY" is used in conjunction with other values. |
array of string | Maximum items: 128 |
| destinations_excluded | Negation of destination groups If set to true, the rule gets applied on all the groups that are NOT part of the destination groups. If false, the rule applies to the destination groups |
boolean | Default: "False" |
| direction | Direction Specifies the direction of traffic to which this rule applies: - IN: Applies to incoming traffic only (traffic coming into the workload) - OUT: Applies to outgoing traffic only (traffic leaving the workload) - IN_OUT: Applies to both incoming and outgoing traffic (default) |
string | Enum: IN, OUT, IN_OUT Default: "IN_OUT" |
| disabled | Flag to deactivate the rule Flag to deactivate the rule. Default is activated. |
boolean | Default: "False" |
| display_name | Identifier to use when displaying entity in logs or GUI Defaults to ID if not set |
string | Maximum length: 255 Sortable |
| id | Unique identifier of this resource | string | Sortable |
| ip_protocol | IPv4 vs IPv6 packet type Type of IP packet that should be matched while enforcing the rule. The value is set to IPV4_IPV6 for Layer3 rule if not specified. For Layer2/Ether rule the value must be null. |
string | Enum: IPV4, IPV6, IPV4_IPV6 |
| is_default | Default rule flag A flag to indicate whether rule is a default rule. |
boolean | Readonly |
| logged | Enable logging flag Flag to enable packet logging. Default is deactivated. |
boolean | Default: "False" |
| marked_for_delete | Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object gets deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects. |
boolean | Readonly Default: "False" |
| notes | Text for additional notes on changes User level field which will be printed in CLI and packet logs. The notes field accepts up to 2048 characters. Internally, notes are truncated after 39 characters in CLI and packet logs. |
string | Maximum length: 2048 |
| origin_site_id | A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+. |
string | Readonly |
| overridden | Indicates whether this object is the overridden intent object Global intent objects cannot be modified by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties. |
boolean | Readonly Default: "False" |
| owner_id | A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+. |
string | Readonly |
| parent_path | Path of its parent Path of its parent |
string | Readonly |
| path | Absolute path of this object Absolute path of this object |
string | Readonly |
| profiles | Layer 7 service profiles or L7 access profile paths Paths to Layer 7 service profile objects or L7 access profile objects for advanced traffic inspection and filtering. These profiles enable matching on Layer 7 attributes and sub-attributes of network services such as: - Application IDs (L4 AppId) - Encryption algorithms and TLS versions - Domain names and URLs - HTTP methods - CIFS/SMB versions You can use either Layer 7 service profiles (PolicyContextProfile) or an L7 access profile (L7AccessProfile) in a rule, but not both. When using an L7 access profile, only one profile path is allowed. |
array of string | Maximum items: 128 |
| realization_id | A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent. |
string | Readonly |
| relative_path | Relative path of this object Path relative from its parent |
string | Readonly |
| remote_path | Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM. |
string | Readonly |
| resource_type | Must be set to the value BaseRule | string | |
| rule_id | Unique rule ID This is a unique positive integer identifier assigned by the system for each rule. The rule_id is passed down to the data path for rule matching and statistics. The system allocates rule IDs from a shared number space between Global Manager (GM) and Local Manager (LM) using a zebra-style striped allocation: - 1000 to 999,999: allocated by LM - 1,000,000 to 1,999,999: allocated by GM - 2,000,000 to 2,999,999: allocated by LM - And so on, alternating in ranges of 1 million The rule_id is typically a small integer (1-4 digits for most deployments) rather than utilizing the full 32-bit range. |
integer | Readonly |
| scope | The list of group paths to which the rule applies. This determines
which workloads (VMs, containers, etc.) the rule is enforced on. For Gateway Firewall rules, this can also include Tier-0, Tier-1, or interface paths to specify where the rule is enforced. Note that a given rule can be applied to multiple groups or network entities. |
array of string | Maximum items: 128 |
| sequence_number | Sequence number of this Rule This field is used to resolve conflicts between multiple Rules under a Security or Gateway Policy for a Domain. Rules are evaluated in ascending sequence number order. If no sequence number is specified in the payload, the system assigns a default value of 0. If there are multiple rules with the same sequence number then their order is not deterministic. If a specific order of rules is desired, specify unique sequence numbers or use the POST request on the rule entity with a query parameter action=revise to let the framework assign a sequence number. |
int | Minimum: 0 |
| service_entries | Raw services In order to specify raw services this can be used, along with services which contains path to services. This can be empty or null. |
array of ServiceEntry (Abstract type: pass one of the following concrete types) ALGTypeServiceEntry EtherTypeServiceEntry ICMPTypeServiceEntry IGMPTypeServiceEntry IPProtocolServiceEntry L4PortSetServiceEntry NestedServiceServiceEntry |
Maximum items: 128 |
| services | Service paths Paths to Service objects (e.g., "/infra/services/HTTP") that define the network services (protocols and ports) to which this rule applies. In order to specify all services, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the services array. Error will be thrown if ANY is used in conjunction with other values. |
array of string | Maximum items: 128 |
| source_groups | Source group paths Specifies the sources to match for this rule. This field accepts Group paths (e.g., "/infra/domains/default/groups/web-vms") or direct IP addresses. Group paths reference Group objects that define collections of workloads. IP addresses can be specified in CIDR notation, as individual addresses, or as ranges. Use the constant "ANY" to match all sources. "ANY" is case insensitive and must be the ONLY element in the array if used. An error will be thrown if "ANY" is used in conjunction with other values. |
array of string | Maximum items: 128 |
| sources_excluded | Negation of source groups If set to true, the rule gets applied on all the groups that are NOT part of the source groups. If false, the rule applies to the source groups |
boolean | Default: "False" |
| tag | Tag applied on the rule User level field which will be printed in CLI and packet logs. Even though there is no limitation on length of a tag, internally tag will get truncated after 32 characters. |
string | |
| tags | Opaque identifiers meaningful to the API user | array of Tag | Maximum items: 30 |
| unique_id | A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites. |
string | Readonly |