NSX-T Data Center REST API
NsxFirewallRule (type)
{
"description": "NSX firewall rule and the details like source, destionation, service etc. and errors occurred while realization. Rule errors are populated if failed to realize for an Agentless VM.",
"extends": {
"$ref": "FirewallRule
},
"id": "NsxFirewallRule",
"module_id": "CloudTypes",
"properties": {
"_links": {
"description": "The server will populate this field when returing the resource. Ignored on PUT and POST.",
"items": {
"$ref": "ResourceLink
},
"readonly": true,
"title": "References related to this resource",
"type": "array"
},
"_owner": {
"$ref": "OwnerResourceLink,
"readonly": true,
"title": "Owner of this resource"
},
"_revision": {
"description": "The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.",
"title": "Generation of this resource config",
"type": "int"
},
"_schema": {
"readonly": true,
"title": "Schema for this resource",
"type": "string"
},
"_self": {
"$ref": "SelfResourceLink,
"readonly": true,
"title": "Link to this resource"
},
"action": {
"description": "Action enforced on the packets which matches the distributed service rule. Currently DS Layer supports below actions. ALLOW - Forward any packet when a rule with this action gets a match (Used by Firewall). DROP - Drop any packet when a rule with this action gets a match. Packets won't go further(Used by Firewall). REJECT - Terminate TCP connection by sending TCP reset for a packet when a rule with this action gets a match (Used by Firewall). REDIRECT - Redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DO_NOT_REDIRECT - Do not redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DETECT - Detect IDS Signatures. ALLOW_CONTINUE - Allows rules to jump from this rule. Action on matching rules in the destination category will decide next step. Application is default destination until new categories are supported to jump to. DETECT_PREVENT - Detect and Prevent IDS Signatures.",
"enum": [
"ALLOW",
"DROP",
"REJECT",
"REDIRECT",
"DO_NOT_REDIRECT",
"DETECT",
"ALLOW_CONTINUE",
"DETECT_PREVENT"
],
"readonly": false,
"required": true,
"title": "Action",
"type": "string"
},
"applied_tos": {
"description": "List of object where rule will be enforced. The section level field overrides this one. Null will be treated as any.",
"items": {
"$ref": "ResourceReference
},
"maxItems": 128,
"readonly": false,
"required": false,
"title": "AppliedTo List",
"type": "array"
},
"context_profiles": {
"description": "NS Profile object which accepts attributes and sub-attributes of various network services (ex. L7 AppId, domain name, encryption algorithm) as key value pairs.",
"items": {
"$ref": "ResourceReference
},
"maxItems": 128,
"title": "Context Profiles",
"type": "array"
},
"description": {
"can_sort": true,
"maxLength": 1024,
"title": "Description of this resource",
"type": "string"
},
"destinations": {
"description": "List of the destinations. Null will be treated as any.",
"items": {
"$ref": "ResourceReference
},
"maxItems": 128,
"readonly": false,
"required": false,
"title": "Destination List",
"type": "array"
},
"destinations_excluded": {
"default": false,
"description": "Negation of the destination.",
"readonly": false,
"required": false,
"title": "Negation of destination",
"type": "boolean"
},
"direction": {
"default": "IN_OUT",
"description": "Rule direction in case of stateless distributed service rules. This will only considered if section level parameter is set to stateless. Default to IN_OUT if not specified.",
"enum": [
"IN",
"OUT",
"IN_OUT"
],
"readonly": false,
"required": false,
"title": "Rule direction",
"type": "string"
},
"disabled": {
"default": false,
"description": "Flag to disable rule. Disabled will only be persisted but never provisioned/realized.",
"readonly": false,
"required": false,
"title": "Rule enable/disable flag",
"type": "boolean"
},
"display_name": {
"can_sort": true,
"description": "Defaults to ID if not set",
"maxLength": 255,
"title": "Identifier to use when displaying entity in logs or GUI",
"type": "string"
},
"error_details": {
"$ref": "CloudErrorDetails,
"description": "Provides the error message if the NSX rule failed to realize",
"readonly": true,
"required": false,
"title": "NSX firewall rule error details"
},
"extended_sources": {
"description": "List of NSGroups that have end point attributes like AD Groups(SID), process name, process hash etc. For Flash release, only NSGroups containing AD Groups are supported.",
"items": {
"$ref": "ResourceReference
},
"maxItems": 128,
"title": "Extended Sources",
"type": "array"
},
"id": {
"description": "Identifier of the resource",
"readonly": true,
"required": false,
"type": "string"
},
"ip_protocol": {
"default": "IPV4_IPV6",
"description": "Type of IP packet that should be matched while enforcing the rule.",
"enum": [
"IPV4",
"IPV6",
"IPV4_IPV6"
],
"readonly": false,
"required": false,
"title": "IPv4 vs IPv6 packet type",
"type": "string"
},
"is_default": {
"description": "Flag to indicate whether rule is default.",
"readonly": true,
"required": false,
"title": "Default rule",
"type": "boolean"
},
"logged": {
"default": false,
"description": "Flag to enable packet logging. Default is disabled.",
"readonly": false,
"required": false,
"title": "Enable logging flag",
"type": "boolean"
},
"notes": {
"description": "User notes specific to the rule.",
"maxLength": 2048,
"readonly": false,
"required": false,
"title": "Notes",
"type": "string"
},
"priority": {
"description": "Priority of the rule.",
"readonly": true,
"required": false,
"title": "Rule priority",
"type": "integer"
},
"resource_type": {
"description": "The type of this resource.",
"readonly": false,
"type": "string"
},
"rule_tag": {
"description": "User level field which will be printed in CLI and packet logs.",
"maxLength": 32,
"readonly": false,
"required": false,
"title": "Tag",
"type": "string"
},
"section_id": {
"description": "Section Id of the section to which this rule belongs to.",
"readonly": true,
"required": false,
"title": "Section Id",
"type": "string"
},
"services": {
"description": "List of the services. Null will be treated as any.",
"items": {
"$ref": "FirewallService
},
"maxItems": 128,
"readonly": false,
"required": false,
"title": "Service List",
"type": "array"
},
"sources": {
"description": "List of sources. Null will be treated as any.",
"items": {
"$ref": "ResourceReference
},
"maxItems": 128,
"readonly": false,
"required": false,
"title": "Source List",
"type": "array"
},
"sources_excluded": {
"default": false,
"description": "Negation of the source.",
"readonly": false,
"required": false,
"title": "Negation of source",
"type": "boolean"
},
"status": {
"description": "SUCCEEDED - NSX firewall rule is successfully realized on the cloud FAILED - NSX firewall rule has failed to realized on the cloud and has errors",
"enum": [
"SUCCEEDED",
"FAILED"
],
"readonly": true,
"required": false,
"title": "Provides the status of NSX firewall rule on the cloud",
"type": "string"
}
},
"title": "NSX firewall rule and the details/errors\n",
"type": "object"
}