GET /wafpolicy/{uuid}
/wafpolicy/{uuid}/{uuid}
UUID of the object to fetch
object name
List of fields to be returned for the resource. Some fields like name, URL, uuid etc. are always returned.
All the Avi REST reference URIs have a name suffix as URI#name. It is useful to get the referenced resource name without performing get on that object.
Default values are not set.
It automatically returns additional dependent resources like runtime. Eg. join_subresources=runtime.
Avi Tenant Header
Avi Tenant Header UUID
The caller is required to set Avi Version Header to the expected version of configuration. The response from the controller will provide and accept data according to the specified version. The controller will reject POST and PUT requests where the data is not compatible with the specified version.
Avi Controller may send back CSRF token in the response cookies. The caller should update the request headers with this token else controller will reject requests.
OK
{
"_last_modified": "string",
"allow_mode_delegation": false,
"allowlist": {
"rules": [
{
"actions": [
"string"
],
"description": "string",
"enable": false,
"index": 0,
"match": {
"bot_detection_result": {
"classifications": [
{
"type": "string",
"user_defined_type": "string"
}
],
"match_operation": "string"
},
"client_ip": {
"addrs": [
{
"addr": "string",
"type": "string"
}
],
"group_refs": [
"string"
],
"match_criteria": "string",
"prefixes": [
{
"ip_addr": {
"addr": "string",
"type": "string"
},
"mask": 0
}
],
"ranges": [
{
"begin": {
"addr": "string",
"type": "string"
},
"end": {
"addr": "string",
"type": "string"
}
}
]
},
"cookie": {
"match_case": "string",
"match_criteria": "string",
"name": "string",
"value": "string"
},
"geo_matches": [
{
"attribute": "string",
"match_operation": "string",
"values": [
"string"
]
}
],
"hdrs": [
{
"hdr": "string",
"match_case": "string",
"match_criteria": "string",
"string_group_refs": [
"string"
],
"value": [
"string"
]
}
],
"host_hdr": {
"match_case": "string",
"match_criteria": "string",
"value": [
"string"
]
},
"ip_reputation_type": {
"match_operation": "string",
"reputation_types": [
"string"
]
},
"method": {
"match_criteria": "string",
"methods": [
"string"
]
},
"path": {
"match_case": "string",
"match_criteria": "string",
"match_decoded_string": false,
"match_str": [
"string"
],
"string_group_refs": [
"string"
]
},
"protocol": {
"match_criteria": "string",
"protocols": "string"
},
"query": {
"match_case": "string",
"match_criteria": "string",
"match_decoded_string": false,
"match_str": [
"string"
],
"string_group_refs": [
"string"
]
},
"source_ip": {
"addrs": [
{
"addr": "string",
"type": "string"
}
],
"group_refs": [
"string"
],
"match_criteria": "string",
"prefixes": [
{
"ip_addr": {
"addr": "string",
"type": "string"
},
"mask": 0
}
],
"ranges": [
{
"begin": {
"addr": "string",
"type": "string"
},
"end": {
"addr": "string",
"type": "string"
}
}
]
},
"tls_fingerprint_match": {
"fingerprints": [
"string"
],
"match_operation": "string",
"string_group_refs": [
"string"
]
},
"version": {
"match_criteria": "string",
"versions": [
"string"
]
},
"vs_port": {
"match_criteria": "string",
"ports": [
0
]
}
},
"name": "string",
"sampling_percent": 0
}
]
},
"application_signatures": {
"provider_ref": "string",
"rule_overrides": [
{
"enable": false,
"exclude_list": [
{
"client_subnet": {
"ip_addr": {
"addr": "string",
"type": "string"
},
"mask": 0
},
"description": "string",
"match_element": "string",
"match_element_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_match_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_path": "string"
}
],
"mode": "string",
"rule_id": "string"
}
],
"ruleset_version": "string",
"selected_applications": [
"string"
]
},
"auto_update_crs": false,
"bypass_static_extensions": false,
"confidence_override": {
"confid_high_value": 0,
"confid_low_value": 0,
"confid_probable_value": 0,
"confid_very_high_value": 0
},
"created_by": "string",
"crs_overrides": [
{
"enable": false,
"exclude_list": [
{
"client_subnet": {
"ip_addr": {
"addr": "string",
"type": "string"
},
"mask": 0
},
"description": "string",
"match_element": "string",
"match_element_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_match_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_path": "string"
}
],
"mode": "string",
"name": "string",
"rule_overrides": [
{
"enable": false,
"exclude_list": [
{
"client_subnet": {
"ip_addr": {
"addr": "string",
"type": "string"
},
"mask": 0
},
"description": "string",
"match_element": "string",
"match_element_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_match_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_path": "string"
}
],
"mode": "string",
"rule_id": "string"
}
]
}
],
"description": "string",
"enable_app_learning": false,
"enable_auto_rule_updates": false,
"enable_regex_learning": false,
"enable_streaming": false,
"failure_mode": "string",
"fixed_sampling_rate": 0,
"geo_db_ref": "string",
"learning_params": {
"enable_learn_from_bots": false,
"enable_per_uri_learning": false,
"learn_from_authenticated_clients_only": false,
"learn_from_bots": {
"classifications": [
{
"type": "string",
"user_defined_type": "string"
}
],
"match_operation": "string"
},
"max_params": 0,
"max_uris": 0,
"min_hits_to_learn": 0,
"sampling_percent": 0,
"trusted_ipgroup_ref": "string",
"update_interval": 0
},
"markers": [
{
"key": "string",
"values": [
"string"
]
}
],
"min_confidence": "string",
"mode": "string",
"name": "string",
"paranoia_level": "string",
"positive_security_model": {
"group_refs": [
"string"
]
},
"post_crs_groups": [
{
"enable": false,
"exclude_list": [
{
"client_subnet": {
"ip_addr": {
"addr": "string",
"type": "string"
},
"mask": 0
},
"description": "string",
"match_element": "string",
"match_element_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_match_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_path": "string"
}
],
"index": 0,
"name": "string",
"rules": [
{
"enable": false,
"exclude_list": [
{
"client_subnet": {
"ip_addr": {
"addr": "string",
"type": "string"
},
"mask": 0
},
"description": "string",
"match_element": "string",
"match_element_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_match_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_path": "string"
}
],
"index": 0,
"is_sensitive": false,
"mode": "string",
"name": "string",
"paranoia_level": "string",
"phase": "string",
"rule": "string",
"rule_id": "string",
"tags": [
"string"
]
}
]
}
],
"pre_crs_groups": [
{
"enable": false,
"exclude_list": [
{
"client_subnet": {
"ip_addr": {
"addr": "string",
"type": "string"
},
"mask": 0
},
"description": "string",
"match_element": "string",
"match_element_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_match_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_path": "string"
}
],
"index": 0,
"name": "string",
"rules": [
{
"enable": false,
"exclude_list": [
{
"client_subnet": {
"ip_addr": {
"addr": "string",
"type": "string"
},
"mask": 0
},
"description": "string",
"match_element": "string",
"match_element_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_match_criteria": {
"match_case": "string",
"match_op": "string"
},
"uri_path": "string"
}
],
"index": 0,
"is_sensitive": false,
"mode": "string",
"name": "string",
"paranoia_level": "string",
"phase": "string",
"rule": "string",
"rule_id": "string",
"tags": [
"string"
]
}
]
}
],
"sampling_mode": "string",
"tenant_ref": "string",
"updated_crs_rules_in_detection_mode": false,
"url": "string",
"use_evaluation_mode_on_crs_update": false,
"uuid": "string",
"waf_crs_ref": "string",
"waf_profile_ref": "string"
}UNIX time since epoch in microseconds. Units(MICROSECONDS).
Allow Rules to overwrite the policy mode. This must be set if the policy mode is set to enforcement. Field introduced in 18.1.5, 18.2.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
allowlist
application_signatures
If this flag is set, the system will try to keep the CRS version used in this policy up-to-date. If a newer CRS object is available on this controller, the system will issue the CRS upgrade process for this WAF Policy. It will not update polices if the current CRS version is CRS-VERSION-NOT-APPLICABLE. Field introduced in 22.1.3. Allowed with any value in Enterprise, Enterprise with Cloud Services edition.
Enable the functionality to bypass WAF for static file extensions. Field introduced in 22.1.1. Allowed with any value in Enterprise, Enterprise with Cloud Services edition.
confidence_override
Creator name. Field introduced in 17.2.4. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
Override attributes for CRS rules. Field introduced in 20.1.6. Allowed with any value in Enterprise, Enterprise with Cloud Services edition.
Field introduced in 17.2.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
[Deprecated] Enable Application Learning for this WAF policy. Field deprecated in 31.2.1. Field introduced in 18.2.3. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
[Deprecated] Enable Application Learning based rule updates on the WAF Profile.Rules will be programmed in dedicated WAF learning group. Field deprecated in 31.2.1. Field introduced in 20.1.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
[Deprecated] Enable dynamic regex generation for positive security model rules. This is an experimental feature and shouldn't be used in production. Field deprecated in 31.2.1. Field introduced in 20.1.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
If this is set, WAF will let requests be streamed to the backend servers. If not set, requests and responses will be buffered up to the configured maximum values. It can only be set if the WafPolicy is not set to enforcement mode. Field introduced in 31.2.1. Allowed with any value in Enterprise, Enterprise with Cloud Services edition.
WAF Policy failure mode. This can be 'Open' or 'Closed'. Enum options - WAF_FAILURE_MODE_OPEN, WAF_FAILURE_MODE_CLOSED. Field introduced in 18.1.2. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
If sampling_mode is set to FIXED_SAMPLING, this value determines the percentage of requests choosen for WAF processing. Allowed values are 1-100. Field introduced in 31.2.1. Unit is PERCENT. Allowed with any value in Enterprise, Enterprise with Cloud Services edition.
Geo Location Mapping Database used by this WafPolicy. It is a reference to an object of type GeoDB. Field introduced in 21.1.1. Allowed with any value in Enterprise, Enterprise with Cloud Services edition.
learning_params
List of labels to be used for granular RBAC. Field introduced in 20.1.5. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
[Deprecated] Minimum confidence label required for auto rule updates. Enum options - CONFIDENCE_VERY_HIGH, CONFIDENCE_HIGH, CONFIDENCE_PROBABLE, CONFIDENCE_LOW, CONFIDENCE_NONE. Field deprecated in 31.2.1. Field introduced in 20.1.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
WAF Policy mode. This can be either detection, enforcement or evaluation. It can be overwritten by rules if allow_mode_delegation is set. Enum options - WAF_MODE_DETECTION_ONLY, WAF_MODE_ENFORCEMENT, WAF_MODE_EVALUATION. Field introduced in 17.2.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
Field introduced in 17.2.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
WAF Ruleset paranoia mode. This is used to select Rules based on the paranoia-level tag. Enum options - WAF_PARANOIA_LEVEL_LOW, WAF_PARANOIA_LEVEL_MEDIUM, WAF_PARANOIA_LEVEL_HIGH, WAF_PARANOIA_LEVEL_EXTREME. Field introduced in 17.2.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
positive_security_model
WAF Rules are categorized in to groups based on their characterization. These groups are created by the user and will be enforced after the CRS groups. Field introduced in 17.2.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
WAF Rules are categorized in to groups based on their characterization. These groups are created by the user and will be enforced before the CRS groups. Field introduced in 17.2.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
If and how WAF should use sampling to restrict the number of requests checked. Enum options - WAF_SAMPLING_MODE_NO_SAMPLING, WAF_SAMPLING_MODE_ADAPTIVE_SAMPLING, WAF_SAMPLING_MODE_FIXED_SAMPLING. Field introduced in 31.2.1. Allowed with any value in Enterprise, Enterprise with Cloud Services edition.
It is a reference to an object of type Tenant. Field introduced in 17.2.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
The functionality of this flag was moved to the new use_evaluation_mode_on_crs_update flag. Field deprecated in 31.2.1. Field introduced in 22.1.3. Allowed with any value in Enterprise, Enterprise with Cloud Services edition.
url
While updating CRS, the system will make sure that new rules are added in EVALUATION mode. A CRS update will set new rules into EVALUATION mode by adding crs_overrides for the new rules. If this flag is not set or if the old CRS object was empty, the new rules will be added without crs_overrides. This option is used for the auto_update_crs workflow as well as for the UI based CRS update workflow. Field introduced in 31.2.1. Allowed with any value in Enterprise, Enterprise with Cloud Services edition.
Field introduced in 17.2.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
WAF core ruleset used for the CRS part of this Policy. It is a reference to an object of type WafCRS. Field introduced in 18.1.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
WAF Profile for WAF policy. It is a reference to an object of type WafProfile. Field introduced in 17.2.1. Allowed with any value in Enterprise, Essentials, Basic, Enterprise with Cloud Services edition.
log in failed
object not found
curl -H 'Authorization: <value>' https://{api_host}/api/wafpolicy/{uuid}