Create Firewall Rule

Creates a Firewall Rule on the Edge Gateway.

Request

URI

POST

https://{api_host}/cloudapi/1.0.0/edgeGateways/{gatewayId}/firewall/rules

COPY

Path Parameters

string

externalNetworkId

Required

externalNetworkId

string

externalNetworkId

Required

externalNetworkId

Request Body

GatewayFirewallRule of type(s) application/json

Optional

{
    "id": "string",
    "name": "string",
    "description": "string",
    "sourceFirewallGroups": [
        {
            "name": "string",
            "id": "string"
        }
    ],
    "sourceFirewallIpAddresses": [
        "string"
    ],
    "destinationFirewallGroups": [
        {
            "name": "string",
            "id": "string"
        }
    ],
    "destinationFirewallIpAddresses": [
        "string"
    ],
    "applicationPortProfiles": [
        {
            "name": "string",
            "id": "string"
        }
    ],
    "rawPortProtocols": [
        {
            "layer4Item": {
                "protocol": "string",
                "sourcePorts": [
                    "8080",
                    "8090-8095"
                ],
                "destinationPorts": [
                    "20",
                    "21",
                    "139-445"
                ]
            }
        }
    ],
    "ipProtocol": "string",
    "actionValue": "string",
    "direction": "string",
    "logging": false,
    "networkContextProfiles": [
        {
            "name": "string",
            "id": "string"
        }
    ],
    "active": false,
    "version": {
        "version": 0
    },
    "comments": "string",
    "appliedTo": {
        "name": "string",
        "id": "string"
    },
    "loggingId": "string",
    "relativePosition": {
        "adjacentRuleId": "string",
        "rulePosition": "string"
    }
}

string

Optional

The unique id of this firewall rule. If a rule with the ruleId is not already present, a new rule will be created. If it already exists, the rule will be updated.

string

name

Required

Name for the rule.

string

description

Optional

description

array of EntityReference

sourceFirewallGroups

Optional

List of source groups for firewall rule. It specifies the sources of network traffic for the firewall rule. Null values in both this property and sourceFirewallIpAddresses will be treated as "ANY" For Distributed Firewall rules, an entry with an id of urn:vcloud:firewallGroup:internal can be used to specify all internal vDC Group network traffic.

array of string

sourceFirewallIpAddresses

Optional

List of source IP addresses, IP Ranges, or CIDRs. This specifies the source of the traffic which the firewall rule will be applied to Null values in both this property and sourceFirewallGroups will be treated as "ANY"

array of EntityReference

destinationFirewallGroups

Optional

List of source groups for firewall rule. It specifies the destinations of network traffic for the firewall rule. Null values in both this property and destinationFirewallIpAddresses will be treated as "ANY" For Distributed Firewall rules, an entry with an id of urn:vcloud:firewallGroup:internal can be used to specify all internal vDC Group network traffic.

array of string

destinationFirewallIpAddresses

Optional

List of destination IP addresses, IP Ranges, or CIDRs. This specifies the destination of the traffic which the firewall rule will be applied to Null values in both this property and destinationFirewallGroups will be treated as "ANY"

array of EntityReference

applicationPortProfiles

Optional

The list of application ports where this firewall rule is applicable. Null value or an empty list will be treated as "ANY" which means rule applies to all ports.

array of RawPortProtocol

rawPortProtocols

Optional

A list of raw port-protocol entries where this firewall rule is applicable.

string

ipProtocol

Optional

Type of IP packet that should be matched while enforcing the rule. Default value is IPV4_IPV6.

IPV4
IPV6
IPV4_IPV6

string

actionValue

Optional

The action to be applied to all the traffic that meets the firewall rule criteria. It determines if the rule permits or blocks traffic. Property is required if action is not set. Below are valid values.

ALLOW permits traffic to go through the firewall.
DROP blocks the traffic at the firewall. No response is sent back to the source.
REJECT blocks the traffic at the firewall. A response is sent back to the source.

string

direction

Optional

Specifies the direction of the network traffic. Default value is IN_OUT.

IN
OUT
IN_OUT

boolean

logging

Optional

Whether packet logging is active for firewall rule.

array of EntityReference

networkContextProfiles

Optional

The list of layer 7 network context profiles where this firewall rule is applicable. Null value or an empty list will be treated as "ANY" which means rule applies to all applications and domains.

boolean

active

Optional

Whether the firewall rule is active.

ObjectVersion

version

Optional

This property describes the current version of the entity. To prevent clients from overwriting each other's changes, update operations must include the version which can be obtained by issuing a GET operation. If the version number on an update call is missing, the operation will be rejected. This is only needed on update calls.

string

comments

Optional

Text for user entered comments on the firewall rule. Length cannot exceed 2048 characters.

EntityReference

appliedTo

Optional

Entity reference used to describe VCD entities

string

loggingId

Optional

Unique ID assigned by the backing NSX-T network provider. Passed all the way down to the datapath, and is used for logging by NSX-T. Only applies to NSX-T.

FirewallRuleRelativePosition

relativePosition

Optional

Defines a relative position to place a firewall rule.

Authentication

This operation uses the following authentication methods.

ApiKeyAuth

Responses

202

The request have been accepted and the task to monitor the request is in the Location header.

Operation doesn't return any data structure

Availability