NSX-T Data Center REST API
FirewallRule (schema)
| Name | Description | Type | Notes |
|---|---|---|---|
| _links | References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink | Readonly |
| _owner | Owner of this resource | OwnerResourceLink | Readonly |
| _revision | Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int | |
| _schema | Schema for this resource | string | Readonly |
| _self | Link to this resource | SelfResourceLink | Readonly |
| action | Action Action enforced on the packets which matches the distributed service rule. Currently DS Layer supports below actions. ALLOW - Forward any packet when a rule with this action gets a match (Used by Firewall). DROP - Drop any packet when a rule with this action gets a match. Packets won't go further(Used by Firewall). REJECT - Terminate TCP connection by sending TCP reset for a packet when a rule with this action gets a match (Used by Firewall). REDIRECT - Redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DO_NOT_REDIRECT - Do not redirect any packet to a partner appliance when a rule with this action gets a match (Used by Service Insertion). DETECT - Detect IDS Signatures. ALLOW_CONTINUE - Allows rules to jump from this rule. Action on matching rules in the destination category will decide next step. Application is default destination until new categories are supported to jump to. DETECT_PREVENT - Detect and Prevent IDS Signatures. |
string | Required Enum: ALLOW, DROP, REJECT, REDIRECT, DO_NOT_REDIRECT, DETECT, ALLOW_CONTINUE, DETECT_PREVENT |
| applied_tos | AppliedTo List List of object where rule will be enforced. The section level field overrides this one. Null will be treated as any. |
array of ResourceReference | Maximum items: 128 |
| context_profiles | Context Profiles NS Profile object which accepts attributes and sub-attributes of various network services (ex. L7 AppId, domain name, encryption algorithm) as key value pairs. |
array of ResourceReference | Maximum items: 128 |
| description | Description of this resource | string | Maximum length: 1024 Sortable |
| destinations | Destination List List of the destinations. Null will be treated as any. |
array of ResourceReference | Maximum items: 128 |
| destinations_excluded | Negation of destination Negation of the destination. |
boolean | Default: "False" |
| direction | Rule direction Rule direction in case of stateless distributed service rules. This will only considered if section level parameter is set to stateless. Default to IN_OUT if not specified. |
string | Enum: IN, OUT, IN_OUT Default: "IN_OUT" |
| disabled | Rule enable/disable flag Flag to disable rule. Disabled will only be persisted but never provisioned/realized. |
boolean | Default: "False" |
| display_name | Identifier to use when displaying entity in logs or GUI Defaults to ID if not set |
string | Maximum length: 255 Sortable |
| extended_sources | Extended Sources List of NSGroups that have end point attributes like AD Groups(SID), process name, process hash etc. For Flash release, only NSGroups containing AD Groups are supported. |
array of ResourceReference | Maximum items: 128 |
| id | Identifier of the resource | string | Readonly |
| ip_protocol | IPv4 vs IPv6 packet type Type of IP packet that should be matched while enforcing the rule. |
string | Enum: IPV4, IPV6, IPV4_IPV6 Default: "IPV4_IPV6" |
| is_default | Default rule Flag to indicate whether rule is default. |
boolean | Readonly |
| logged | Enable logging flag Flag to enable packet logging. Default is disabled. |
boolean | Default: "False" |
| notes | Notes User notes specific to the rule. |
string | Maximum length: 2048 |
| priority | Rule priority Priority of the rule. |
integer | Readonly |
| resource_type | Must be set to the value FirewallRule | string | |
| rule_tag | Tag User level field which will be printed in CLI and packet logs. |
string | Maximum length: 32 |
| section_id | Section Id Section Id of the section to which this rule belongs to. |
string | Readonly |
| services | Service List List of the services. Null will be treated as any. |
array of FirewallService | Maximum items: 128 |
| sources | Source List List of sources. Null will be treated as any. |
array of ResourceReference | Maximum items: 128 |
| sources_excluded | Negation of source Negation of the source. |
boolean | Default: "False" |