Virtual firewall rules define intent based security policy entries to control traffic between source/destinations in the network. Virtual firewall rules are inherently stateful and are enforced as Ingress/Egress stateful ACLs in Nuage policy enforcement points
This object has no members.
The name of the parent template for this rule entry
Format: free
SDK attribute: ACLTemplateName
The action of the rule, DROP or FORWARD. Possible values are DROP, FORWARD.
Allowed values: DROP, FORWARD
Default value: FORWARD
SDK attribute: action
Overrides the source IP for Ingress and destination IP for Egress, macentries will use this address as the match criteria.
Format: free
SDK attribute: addressOverride
In the draft mode, the ACL entry refers to this LiveEntity. In non-drafted mode, this is null.
Format: free
SDK attribute: associatedEgressEntryID
In the draft mode, the ACL entry refers to this LiveEntity. In non-drafted mode, this is null.
Format: free
SDK attribute: associatedIngressEntryID
The UUID of the associated L7 Application Signature
Format: free
SDK attribute: associatedL7ApplicationSignatureID
In the draft mode, the rule entry refers to this LiveEntity. In live mode, this is null.
Format: free
SDK attribute: associatedLiveEntityID
In the draft mode, the ACL entity refers to this live entity parent. In non-drafted mode, this is null
Format: free
SDK attribute: associatedLiveTemplateID
This property reflects the type of traffic in case a rule entry is created using an Service or Service Group. In case a protocol and port are specified for the ACL entry, this property has to be empty (null). Supported values are L4_SERVICE, L4_SERVICE_GROUP and empty.
Allowed values: L4_SERVICE, L4_SERVICE_GROUP
SDK attribute: associatedTrafficType
If a traffic type is specified as Service or Service Group, then the associated Id of Service / Service Group should be specifed here
Format: free
SDK attribute: associatedTrafficTypeID
Description of the rule entry
Format: free
Max length: 255
SDK attribute: description
The destination port to be matched if protocol is UDP or TCP. Value should be either * or a single port number or a port range like 1,2.. or 1 - 10
Format: free
Max length: 255
SDK attribute: destinationPort
The name of the domain/domain template for the Rule TemplateName.
Format: free
SDK attribute: domainName
DSCP match condition to be set in the rule. It is either * or from 0-63
Format: free
SDK attribute: DSCP
Metadata objects associated with this entity. This will contain a list of Metadata objects if the API request is made using the special flag to enable the embedded Metadata feature. Only a maximum of Metadata objects is returned based on the value set in the system configuration.
SDK attribute: embeddedMetadata
The name of the enterprise for the domain's parent
Format: free
SDK attribute: enterpriseName
Specify if scope of entity is Data center or Enterprise level
Allowed values: ENTERPRISE, GLOBAL
SDK attribute: entityScope
Ether type of the packet to be matched. etherType can be * or a valid hexadecimal value
Format: free
SDK attribute: etherType
External object ID. Used for integration with third party systems
Format: free
SDK attribute: externalID
Backup datapath option if VNF/VM is down
Allowed values: FAIL_TO_BLOCK, FAIL_TO_WIRE
SDK attribute: failsafeDatapath
Is flow logging enabled for this particular template
Default value: false
SDK attribute: flowLoggingEnabled
The ICMP Code when protocol selected is ICMP.
Format: free
SDK attribute: ICMPCode
The ICMP Type when protocol selected is ICMP.
Format: free
SDK attribute: ICMPType
Overrides the source IPV6 for Ingress and destination IPV6 for Egress, macentries will use this address as the match criteria.
Format: free
SDK attribute: IPv6AddressOverride
ID of the user who last updated the object.
Format: free
SDK attribute: lastUpdatedBy
Indicates whether the Location Entity of ACL Entry was derived from a L2/L3 Domain template or instance. Possible Values: ENTERPRISENETWORK, NETWORKMACROGROUP, PGEXPRESSION, PGEXPRESSIONTEMPLATE, POLICYGROUP, POLICYGROUPTEMPLATE, PUBLICNETWORK, REDIRECTIONTARGET, REDIRECTIONTARGETTEMPLATE, SUBNET, SUBNETTEMPLATE, ZONE, ZONETEMPLATE.
Allowed values: ENTERPRISENETWORK, NETWORKMACROGROUP, PGEXPRESSION, PGEXPRESSIONTEMPLATE, POLICYGROUP, POLICYGROUPTEMPLATE, PUBLICNETWORK, REDIRECTIONTARGET, REDIRECTIONTARGETTEMPLATE, SUBNET, SUBNETTEMPLATE, ZONE, ZONETEMPLATE
SDK attribute: locationEntityType
The ID of the source endpoint (Subnet/Zone/PortGroup/PolicyGroupExpression/NetworkMacro/Internet Policy Group/Enterprise Network)
Format: free
SDK attribute: locationID
Type of the source endpoint (Subnet/Zone/PortGroup/PolicyGroupExpression/NetworkMacro/Internet Policy Group/Enterprise Network)
Allowed values: ANY, ENTERPRISE_NETWORK, NETWORK_MACRO_GROUP, PGEXPRESSION, POLICYGROUP, SUBNET, UNDERLAY_INTERNET_POLICYGROUP, ZONE
SDK attribute: locationType
ID of the associated Mirror Destination Group.
Format: free
Max length: 255
SDK attribute: mirrorDestinationGroupID
Destination ID of the mirror destination object.
Format: free
SDK attribute: mirrorDestinationID
Indicates whether the Network Entity of ACL Entry was derived from a L2/L3 Domain template or instance. Possible Values: ENTERPRISENETWORK, NETWORKMACROGROUP, PGEXPRESSION, PGEXPRESSIONTEMPLATE, POLICYGROUP, POLICYGROUPTEMPLATE, PUBLICNETWORK, SAASAPPLICATIONGROUP, SUBNET, SUBNETTEMPLATE, ZONE, ZONETEMPLATE.
Allowed values: ENTERPRISENETWORK, NETWORKMACROGROUP, PGEXPRESSION, PGEXPRESSIONTEMPLATE, POLICYGROUP, POLICYGROUPTEMPLATE, PUBLICNETWORK, SAASAPPLICATIONGROUP, SUBNET, SUBNETTEMPLATE, ZONE, ZONETEMPLATE
SDK attribute: networkEntityType
The ID of the destination endpoint (Subnet/Zone/PortGroup/PolicyGroupExpression/NetworkMacro/Internet Policy Group/Enterprise Network)
Format: free
SDK attribute: networkID
Type of the destination endpoint (Subnet/Zone/PortGroup/PolicyGroupExpression/NetworkMacro/Internet Policy Group/Enterprise Network)
Allowed values: ANY, ENTERPRISE_NETWORK, NETWORK_MACRO_GROUP, PGEXPRESSION, POLICYGROUP, SUBNET, UNDERLAY_INTERNET_POLICYGROUP, ZONE
Default value: ANY
SDK attribute: networkType
ID of the overlay mirror destination
Format: free
SDK attribute: overlayMirrorDestinationID
State of the policy.
Allowed values: DRAFT, LIVE
SDK attribute: policyState
The priority of the rule entry that determines the order of entries
Max value: 1000000000
SDK attribute: priority
Protocol number that must be matched
Format: free
SDK attribute: protocol
Source port to be matched if protocol is UDP or TCP. Value should be either * or a single port number or a port range like 1,2.. or 1 - 10
Format: free
Max length: 255
SDK attribute: sourcePort
True means that this ACL entry is stateful, so there will be a corresponding rule that will be created by OVS in the network. False means that there is no corresponding rule created by OVS in the network.
Default value: false
SDK attribute: stateful
The statsID that is created in the VSD and identifies this Rule Template Entry. This is auto-generated by VSD
Format: free
SDK attribute: statsID
Indicates if stats logging is enabled for this particular template
Default value: false
SDK attribute: statsLoggingEnabled
Virtual Firewall Rule Type
Allowed values: THREAT_PREVENTION
SDK attribute: type
ID of web filter
Format: free
Max length: 255
SDK attribute: webFilterID
Indicates type of web filter being set
Allowed values: WEB_CATEGORY, WEB_DOMAIN_NAME
SDK attribute: webFilterType