NSX-T Data Center REST API

Add a Single Rule in a Section (Deprecated)

Adds a new firewall rule in existing firewall section. Adding firewall rule
to a section modifies parent section entity and simultaneous update (modify)
operations on same section are not allowed to prevent overwriting stale
content to firewall section. If a concurrent update is performed, HTTP
response code 409 will be returned to the client operating on stale data.
That client should retrieve the firewall section again and re-apply its
update.
Deprecated:
Use the following Policy API -
PUT|PATCH /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>

Request:

Method:

POST

URI Path(s):

/api/v1/firewall/sections/{section-id}/rules

Request Headers:

n/a

Query Parameters:

FirewallInsertParameters+

Name	Description	Type	Notes
id	Identifier of the anchor rule or section. This is a required field in case operation like 'insert_before' and 'insert_after'.	string	Maximum length: 64
operation	Operation	string	Enum: insert_top, insert_bottom, insert_after, insert_before Default: "insert_top"

Request Body:

FirewallRule+

FirewallRule (schema)

Name	Description	Type	Notes
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_owner	Owner of this resource	OwnerResourceLink	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
action	Action Action enforced on the packets which matches the distributed service rule. Currently DS Layer supports below actions. ALLOW - Forward any packet when a rule with this action gets a match (Used by Firewall). DROP - Drop any packet when a rule with this action gets a match. Packets won't go further(Used by Firewall). REJECT - Terminate TCP connection by sending TCP reset for a packet when a rule with this action gets a match (Used by Firewall). REDIRECT - Redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DO_NOT_REDIRECT - Do not redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DETECT - Detect IDS Signatures. ALLOW_CONTINUE - Allows rules to jump from this rule. Action on matching rules in the destination category will decide next step. Application is default destination until new categories are supported to jump to. DETECT_PREVENT - Detect and Prevent IDS Signatures.	string	Required Enum: ALLOW, DROP, REJECT, REDIRECT, DO_NOT_REDIRECT, DETECT, ALLOW_CONTINUE, DETECT_PREVENT
applied_tos	AppliedTo List List of object where rule will be enforced. The section level field overrides this one. Null will be treated as any.	array of ResourceReference	Maximum items: 128
context_profiles	Context Profiles NS Profile object which accepts attributes and sub-attributes of various network services (ex. L7 AppId, domain name, encryption algorithm) as key value pairs.	array of ResourceReference	Maximum items: 128
description	Description of this resource	string	Maximum length: 1024 Sortable
destinations	Destination List List of the destinations. Null will be treated as any.	array of ResourceReference	Maximum items: 128
destinations_excluded	Negation of destination Negation of the destination.	boolean	Default: "False"
direction	Rule direction Rule direction in case of stateless distributed service rules. This will only considered if section level parameter is set to stateless. Default to IN_OUT if not specified.	string	Enum: IN, OUT, IN_OUT Default: "IN_OUT"
disabled	Rule enable/disable flag Flag to disable rule. Disabled will only be persisted but never provisioned/realized.	boolean	Default: "False"
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
extended_sources	Extended Sources List of NSGroups that have end point attributes like AD Groups(SID), process name, process hash etc. For Flash release, only NSGroups containing AD Groups are supported.	array of ResourceReference	Maximum items: 128
id	Identifier of the resource	string	Readonly
ip_protocol	IPv4 vs IPv6 packet type Type of IP packet that should be matched while enforcing the rule.	string	Enum: IPV4, IPV6, IPV4_IPV6 Default: "IPV4_IPV6"
is_default	Default rule Flag to indicate whether rule is default.	boolean	Readonly
logged	Enable logging flag Flag to enable packet logging. Default is disabled.	boolean	Default: "False"
notes	Notes User notes specific to the rule.	string	Maximum length: 2048
priority	Rule priority Priority of the rule.	integer	Readonly
resource_type	Must be set to the value FirewallRule	string
rule_tag	Tag User level field which will be printed in CLI and packet logs.	string	Maximum length: 32
section_id	Section Id Section Id of the section to which this rule belongs to.	string	Readonly
services	Service List List of the services. Null will be treated as any.	array of FirewallService	Maximum items: 128
sources	Source List List of sources. Null will be treated as any.	array of ResourceReference	Maximum items: 128
sources_excluded	Negation of source Negation of the source.	boolean	Default: "False"

Example Request:

{ "display_name": "layer3rule1", "destinations_excluded": false, "sources": [ { "target_display_name": "192.168.100.7", "is_valid": true, "target_type": "IPv4Address", "target_id": "192.168.100.7" } ], "destinations": [ { "target_display_name": "192.168.100.8", "is_valid": true, "target_type": "IPv4Address", "target_id": "192.168.100.8" } ], "ip_protocol": "IPV4_IPV6", "logged": false, "action": "ALLOW", "sources_excluded": false, "disabled": false, "direction": "IN_OUT" }

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

FirewallRule+

FirewallRule (schema)

Name	Description	Type	Notes
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_owner	Owner of this resource	OwnerResourceLink	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
action	Action Action enforced on the packets which matches the distributed service rule. Currently DS Layer supports below actions. ALLOW - Forward any packet when a rule with this action gets a match (Used by Firewall). DROP - Drop any packet when a rule with this action gets a match. Packets won't go further(Used by Firewall). REJECT - Terminate TCP connection by sending TCP reset for a packet when a rule with this action gets a match (Used by Firewall). REDIRECT - Redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DO_NOT_REDIRECT - Do not redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DETECT - Detect IDS Signatures. ALLOW_CONTINUE - Allows rules to jump from this rule. Action on matching rules in the destination category will decide next step. Application is default destination until new categories are supported to jump to. DETECT_PREVENT - Detect and Prevent IDS Signatures.	string	Required Enum: ALLOW, DROP, REJECT, REDIRECT, DO_NOT_REDIRECT, DETECT, ALLOW_CONTINUE, DETECT_PREVENT
applied_tos	AppliedTo List List of object where rule will be enforced. The section level field overrides this one. Null will be treated as any.	array of ResourceReference	Maximum items: 128
context_profiles	Context Profiles NS Profile object which accepts attributes and sub-attributes of various network services (ex. L7 AppId, domain name, encryption algorithm) as key value pairs.	array of ResourceReference	Maximum items: 128
description	Description of this resource	string	Maximum length: 1024 Sortable
destinations	Destination List List of the destinations. Null will be treated as any.	array of ResourceReference	Maximum items: 128
destinations_excluded	Negation of destination Negation of the destination.	boolean	Default: "False"
direction	Rule direction Rule direction in case of stateless distributed service rules. This will only considered if section level parameter is set to stateless. Default to IN_OUT if not specified.	string	Enum: IN, OUT, IN_OUT Default: "IN_OUT"
disabled	Rule enable/disable flag Flag to disable rule. Disabled will only be persisted but never provisioned/realized.	boolean	Default: "False"
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
extended_sources	Extended Sources List of NSGroups that have end point attributes like AD Groups(SID), process name, process hash etc. For Flash release, only NSGroups containing AD Groups are supported.	array of ResourceReference	Maximum items: 128
id	Identifier of the resource	string	Readonly
ip_protocol	IPv4 vs IPv6 packet type Type of IP packet that should be matched while enforcing the rule.	string	Enum: IPV4, IPV6, IPV4_IPV6 Default: "IPV4_IPV6"
is_default	Default rule Flag to indicate whether rule is default.	boolean	Readonly
logged	Enable logging flag Flag to enable packet logging. Default is disabled.	boolean	Default: "False"
notes	Notes User notes specific to the rule.	string	Maximum length: 2048
priority	Rule priority Priority of the rule.	integer	Readonly
resource_type	Must be set to the value FirewallRule	string
rule_tag	Tag User level field which will be printed in CLI and packet logs.	string	Maximum length: 32
section_id	Section Id Section Id of the section to which this rule belongs to.	string	Readonly
services	Service List List of the services. Null will be treated as any.	array of FirewallService	Maximum items: 128
sources	Source List List of sources. Null will be treated as any.	array of ResourceReference	Maximum items: 128
sources_excluded	Negation of source Negation of the source.	boolean	Default: "False"

Example Response:

{ "id": "1799168", "display_name": "layer3rule1", "destinations_excluded": false, "sources": [ { "target_display_name": "192.168.100.7", "is_valid": true, "target_type": "IPv4Address", "target_id": "192.168.100.7" } ], "destinations": [ { "target_display_name": "192.168.100.8", "is_valid": true, "target_type": "IPv4Address", "target_id": "192.168.100.8" } ], "ip_protocol": "IPV4_IPV6", "logged": false, "action": "ALLOW", "sources_excluded": false, "disabled": false, "direction": "IN_OUT", "_revision": 0 }

NSX-T Data Center REST API

Add a Single Rule in a Section (Deprecated)

Request:

FirewallInsertParameters (schema)

FirewallRule (schema)

Example Request:

Successful Response:

FirewallRule (schema)

Example Response:

Required Permissions:

Feature:

Additional Errors: