VirtualFirewallRule

Virtual firewall rules define intent based security policy entries to control traffic between source/destinations in the network. Virtual firewall rules are inherently stateful and are enforced as Ingress/Egress stateful ACLs in Nuage policy enforcement points

Overview

ACLTemplateName string read only  
action enum (DROP | FORWARD) required   filterable   orderable  
addressOverride string filterable   orderable  
associatedEgressEntryID string read only  
associatedIngressEntryID string read only  
associatedL7ApplicationSignatureID string
associatedLiveEntityID string read only   filterable  
associatedLiveTemplateID string read only  
associatedTrafficType enum (L4_SERVICE | L4_SERVICE_GROUP) filterable   orderable  
associatedTrafficTypeID string
description string filterable  
destinationPort string filterable   orderable  
domainName string read only  
DSCP string filterable   orderable  
embeddedMetadata list read only   autogenerated  
enterpriseName string read only  
entityScope enum (ENTERPRISE | GLOBAL) autogenerated  
etherType string filterable   orderable  
externalID string filterable   orderable   locally unique  
failsafeDatapath enum (FAIL_TO_BLOCK | FAIL_TO_WIRE) filterable   orderable  
flowLoggingEnabled boolean filterable   orderable  
ICMPCode string
ICMPType string
IPv6AddressOverride string filterable   orderable  
lastUpdatedBy string autogenerated  
locationEntityType enum (ENTERPRISENETWORK | NETWORKMACROGROUP | PGEXPRESSION | PGEXPRESSIONTEMPLATE | POLICYGROUP | POLICYGROUPTEMPLATE | PUBLICNETWORK | REDIRECTIONTARGET | REDIRECTIONTARGETTEMPLATE | SUBNET | SUBNETTEMPLATE | ZONE | ZONETEMPLATE) read only  
locationID string filterable   orderable  
locationType enum (ANY | ENTERPRISE_NETWORK | NETWORK_MACRO_GROUP | PGEXPRESSION | POLICYGROUP | SUBNET | UNDERLAY_INTERNET_POLICYGROUP | ZONE) required   filterable   orderable  
mirrorDestinationGroupID string
mirrorDestinationID string
networkEntityType enum (ENTERPRISENETWORK | NETWORKMACROGROUP | PGEXPRESSION | PGEXPRESSIONTEMPLATE | POLICYGROUP | POLICYGROUPTEMPLATE | PUBLICNETWORK | SAASAPPLICATIONGROUP | SUBNET | SUBNETTEMPLATE | ZONE | ZONETEMPLATE) read only  
networkID string filterable   orderable  
networkType enum (ANY | ENTERPRISE_NETWORK | NETWORK_MACRO_GROUP | PGEXPRESSION | POLICYGROUP | SUBNET | UNDERLAY_INTERNET_POLICYGROUP | ZONE) filterable   orderable  
overlayMirrorDestinationID string
policyState enum (DRAFT | LIVE) read only   filterable   orderable  
priority integer filterable   orderable  
protocol string filterable   orderable  
sourcePort string filterable   orderable  
stateful boolean filterable   orderable  
statsID string read only   autogenerated   filterable   orderable  
statsLoggingEnabled boolean filterable   orderable  
type enum (THREAT_PREVENTION) filterable   orderable  
webFilterID string orderable  
webFilterType enum (WEB_CATEGORY | WEB_DOMAIN_NAME) filterable   orderable  

API Resource

/virtualfirewallrules/id
delete get put

Parents

/virtualfirewallrules
get
/domains/id/virtualfirewallrules
get
/virtualfirewallpolicies/id/virtualfirewallrules
get post
/l2domains/id/virtualfirewallrules
get
/aggregateddomains/id/virtualfirewallrules
get

Children

/virtualfirewallrules/id/metadatas
get post
/virtualfirewallrules/id/globalmetadatas
get post put

Members

This object has no members.

Attributes documentation

ACLTemplateName string read only  
Discussion

The name of the parent template for this rule entry

Charateristics

Format: free
SDK attribute: ACLTemplateName

action enum required   filterable   orderable  
Discussion

The action of the rule, DROP or FORWARD. Possible values are DROP, FORWARD.

Charateristics

Allowed values: DROP, FORWARD
Default value: FORWARD
SDK attribute: action

addressOverride string filterable   orderable  
Discussion

Overrides the source IP for Ingress and destination IP for Egress, macentries will use this address as the match criteria.

Charateristics

Format: free
SDK attribute: addressOverride

associatedEgressEntryID string read only  
Discussion

In the draft mode, the ACL entry refers to this LiveEntity. In non-drafted mode, this is null.

Charateristics

Format: free
SDK attribute: associatedEgressEntryID

associatedIngressEntryID string read only  
Discussion

In the draft mode, the ACL entry refers to this LiveEntity. In non-drafted mode, this is null.

Charateristics

Format: free
SDK attribute: associatedIngressEntryID

associatedL7ApplicationSignatureID string
Discussion

The UUID of the associated L7 Application Signature

Charateristics

Format: free
SDK attribute: associatedL7ApplicationSignatureID

associatedLiveEntityID string read only   filterable  
Discussion

In the draft mode, the rule entry refers to this LiveEntity. In live mode, this is null.

Charateristics

Format: free
SDK attribute: associatedLiveEntityID

associatedLiveTemplateID string read only  
Discussion

In the draft mode, the ACL entity refers to this live entity parent. In non-drafted mode, this is null

Charateristics

Format: free
SDK attribute: associatedLiveTemplateID

associatedTrafficType enum filterable   orderable  
Discussion

This property reflects the type of traffic in case a rule entry is created using an Service or Service Group. In case a protocol and port are specified for the ACL entry, this property has to be empty (null). Supported values are L4_SERVICE, L4_SERVICE_GROUP and empty.

Charateristics

Allowed values: L4_SERVICE, L4_SERVICE_GROUP
SDK attribute: associatedTrafficType

associatedTrafficTypeID string
Discussion

If a traffic type is specified as Service or Service Group, then the associated Id of Service / Service Group should be specifed here

Charateristics

Format: free
SDK attribute: associatedTrafficTypeID

description string filterable  
Discussion

Description of the rule entry

Charateristics

Format: free
Max length: 255
SDK attribute: description

destinationPort string filterable   orderable  
Discussion

The destination port to be matched if protocol is UDP or TCP. Value should be either * or a single port number or a port range like 1,2.. or 1 - 10

Charateristics

Format: free
Max length: 255
SDK attribute: destinationPort

domainName string read only  
Discussion

The name of the domain/domain template for the Rule TemplateName.

Charateristics

Format: free
SDK attribute: domainName

DSCP string filterable   orderable  
Discussion

DSCP match condition to be set in the rule. It is either * or from 0-63

Charateristics

Format: free
SDK attribute: DSCP

embeddedMetadata list read only   autogenerated  
Discussion

Metadata objects associated with this entity. This will contain a list of Metadata objects if the API request is made using the special flag to enable the embedded Metadata feature. Only a maximum of Metadata objects is returned based on the value set in the system configuration.

Charateristics

SDK attribute: embeddedMetadata

enterpriseName string read only  
Discussion

The name of the enterprise for the domain's parent

Charateristics

Format: free
SDK attribute: enterpriseName

entityScope enum autogenerated  
Discussion

Specify if scope of entity is Data center or Enterprise level

Charateristics

Allowed values: ENTERPRISE, GLOBAL
SDK attribute: entityScope

etherType string filterable   orderable  
Discussion

Ether type of the packet to be matched. etherType can be * or a valid hexadecimal value

Charateristics

Format: free
SDK attribute: etherType

externalID string filterable   orderable   locally unique  
Discussion

External object ID. Used for integration with third party systems

Charateristics

Format: free
SDK attribute: externalID

failsafeDatapath enum filterable   orderable  
Discussion

Backup datapath option if VNF/VM is down

Charateristics

Allowed values: FAIL_TO_BLOCK, FAIL_TO_WIRE
SDK attribute: failsafeDatapath

flowLoggingEnabled boolean filterable   orderable  
Discussion

Is flow logging enabled for this particular template

Charateristics

Default value: false
SDK attribute: flowLoggingEnabled

ICMPCode string
Discussion

The ICMP Code when protocol selected is ICMP.

Charateristics

Format: free
SDK attribute: ICMPCode

ICMPType string
Discussion

The ICMP Type when protocol selected is ICMP.

Charateristics

Format: free
SDK attribute: ICMPType

IPv6AddressOverride string filterable   orderable  
Discussion

Overrides the source IPV6 for Ingress and destination IPV6 for Egress, macentries will use this address as the match criteria.

Charateristics

Format: free
SDK attribute: IPv6AddressOverride

lastUpdatedBy string autogenerated  
Discussion

ID of the user who last updated the object.

Charateristics

Format: free
SDK attribute: lastUpdatedBy

locationEntityType enum read only  
Discussion

Indicates whether the Location Entity of ACL Entry was derived from a L2/L3 Domain template or instance. Possible Values: ENTERPRISENETWORK, NETWORKMACROGROUP, PGEXPRESSION, PGEXPRESSIONTEMPLATE, POLICYGROUP, POLICYGROUPTEMPLATE, PUBLICNETWORK, REDIRECTIONTARGET, REDIRECTIONTARGETTEMPLATE, SUBNET, SUBNETTEMPLATE, ZONE, ZONETEMPLATE.

Charateristics

Allowed values: ENTERPRISENETWORK, NETWORKMACROGROUP, PGEXPRESSION, PGEXPRESSIONTEMPLATE, POLICYGROUP, POLICYGROUPTEMPLATE, PUBLICNETWORK, REDIRECTIONTARGET, REDIRECTIONTARGETTEMPLATE, SUBNET, SUBNETTEMPLATE, ZONE, ZONETEMPLATE
SDK attribute: locationEntityType

locationID string filterable   orderable  
Discussion

The ID of the source endpoint (Subnet/Zone/PortGroup/PolicyGroupExpression/NetworkMacro/Internet Policy Group/Enterprise Network)

Charateristics

Format: free
SDK attribute: locationID

locationType enum required   filterable   orderable  
Discussion

Type of the source endpoint (Subnet/Zone/PortGroup/PolicyGroupExpression/NetworkMacro/Internet Policy Group/Enterprise Network)

Charateristics

Allowed values: ANY, ENTERPRISE_NETWORK, NETWORK_MACRO_GROUP, PGEXPRESSION, POLICYGROUP, SUBNET, UNDERLAY_INTERNET_POLICYGROUP, ZONE
SDK attribute: locationType

mirrorDestinationGroupID string
Discussion

ID of the associated Mirror Destination Group.

Charateristics

Format: free
Max length: 255
SDK attribute: mirrorDestinationGroupID

mirrorDestinationID string
Discussion

Destination ID of the mirror destination object.

Charateristics

Format: free
SDK attribute: mirrorDestinationID

networkEntityType enum read only  
Discussion

Indicates whether the Network Entity of ACL Entry was derived from a L2/L3 Domain template or instance. Possible Values: ENTERPRISENETWORK, NETWORKMACROGROUP, PGEXPRESSION, PGEXPRESSIONTEMPLATE, POLICYGROUP, POLICYGROUPTEMPLATE, PUBLICNETWORK, SAASAPPLICATIONGROUP, SUBNET, SUBNETTEMPLATE, ZONE, ZONETEMPLATE.

Charateristics

Allowed values: ENTERPRISENETWORK, NETWORKMACROGROUP, PGEXPRESSION, PGEXPRESSIONTEMPLATE, POLICYGROUP, POLICYGROUPTEMPLATE, PUBLICNETWORK, SAASAPPLICATIONGROUP, SUBNET, SUBNETTEMPLATE, ZONE, ZONETEMPLATE
SDK attribute: networkEntityType

networkID string filterable   orderable  
Discussion

The ID of the destination endpoint (Subnet/Zone/PortGroup/PolicyGroupExpression/NetworkMacro/Internet Policy Group/Enterprise Network)

Charateristics

Format: free
SDK attribute: networkID

networkType enum filterable   orderable  
Discussion

Type of the destination endpoint (Subnet/Zone/PortGroup/PolicyGroupExpression/NetworkMacro/Internet Policy Group/Enterprise Network)

Charateristics

Allowed values: ANY, ENTERPRISE_NETWORK, NETWORK_MACRO_GROUP, PGEXPRESSION, POLICYGROUP, SUBNET, UNDERLAY_INTERNET_POLICYGROUP, ZONE
Default value: ANY
SDK attribute: networkType

overlayMirrorDestinationID string
Discussion

ID of the overlay mirror destination

Charateristics

Format: free
SDK attribute: overlayMirrorDestinationID

policyState enum read only   filterable   orderable  
Discussion

State of the policy.

Charateristics

Allowed values: DRAFT, LIVE
SDK attribute: policyState

priority integer filterable   orderable  
Discussion

The priority of the rule entry that determines the order of entries

Charateristics

Max value: 1000000000
SDK attribute: priority

protocol string filterable   orderable  
Discussion

Protocol number that must be matched

Charateristics

Format: free
SDK attribute: protocol

sourcePort string filterable   orderable  
Discussion

Source port to be matched if protocol is UDP or TCP. Value should be either * or a single port number or a port range like 1,2.. or 1 - 10

Charateristics

Format: free
Max length: 255
SDK attribute: sourcePort

stateful boolean filterable   orderable  
Discussion

True means that this ACL entry is stateful, so there will be a corresponding rule that will be created by OVS in the network. False means that there is no corresponding rule created by OVS in the network.

Charateristics

Default value: false
SDK attribute: stateful

statsID string read only   autogenerated   filterable   orderable  
Discussion

The statsID that is created in the VSD and identifies this Rule Template Entry. This is auto-generated by VSD

Charateristics

Format: free
SDK attribute: statsID

statsLoggingEnabled boolean filterable   orderable  
Discussion

Indicates if stats logging is enabled for this particular template

Charateristics

Default value: false
SDK attribute: statsLoggingEnabled

type enum filterable   orderable  
Discussion

Virtual Firewall Rule Type

Charateristics

Allowed values: THREAT_PREVENTION
SDK attribute: type

webFilterID string orderable  
Discussion

ID of web filter

Charateristics

Format: free
Max length: 255
SDK attribute: webFilterID

webFilterType enum filterable   orderable  
Discussion

Indicates type of web filter being set

Charateristics

Allowed values: WEB_CATEGORY, WEB_DOMAIN_NAME
SDK attribute: webFilterType