addAccessRule
The addAccessRule operation handles configuration related to AccessRule model.
Description
This API call is not allowed on the standby unit in an HA pair.
Data Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| name | True | string | A String object containing the name of the FTDRulebase object. The string can be upto a maximum of 128 characters | |||
| sourceZones | False | [ object ] |
A Set of ZoneBase objects considered as a source zone.
Allowed types are: [ SecurityZone , TunnelZone ] |
|||
| destinationZones | False | [ object ] |
A Set of ZoneBase objects considered considered as a destination zone.
Allowed types are: [ SecurityZone , TunnelZone ] |
|||
| sourceNetworks | False | [ object ] |
A Set of Network objects considered as a source network.
Allowed types are: [ Continent , Country , GeoLocation , NetworkObjectGroup , NetworkObject ] |
|||
| destinationNetworks | False | [ object ] |
A Set of Network objects considered as a destination network.
Allowed types are: [ Continent , Country , GeoLocation , NetworkObjectGroup , NetworkObject ] |
|||
| sourcePorts | False | [ object ] |
A Set of PortObjectBase objects considered as a source port.
Allowed types are: [ PortObjectGroup , UDPPortObject , TCPPortObject , ICMPv6PortObject , ICMPv4PortObject , ProtocolObject ] |
|||
| destinationPorts | False | [ object ] |
A Set of PortObjectBase objects considered as a destination port.
Allowed types are: [ PortObjectGroup , UDPPortObject , TCPPortObject , ICMPv6PortObject , ICMPv4PortObject , ProtocolObject ] |
|||
| rulePosition | False | integer | Transient field holding the index position for the rule | |||
| ruleAction | False | string |
A mandatory AcRuleAction object that defines the Access Control Rule action. Possible values are:
PERMIT TRUST DENY |
|||
| eventLogAction | False | string |
A mandatory EventLogAction object that defines the logging options for the rule. Possible values are:
LOG_FLOW_START: (Not supported) LOG_FLOW_END: Log at the end of connection LOG_BOTH: Log at the beginning and end of connection LOG_NONE: Do not log connection |
|||
| identitySources | False | [ object ] |
A Set object containing TrafficIdentity objects. A TrafficIdentity object represents an ActiveDirectoryRealm or LocalIdentitySource
Allowed types are: [ LDAPRealm , ActiveDirectoryRealm , SpecialRealm , User , LocalIdentitySource ] |
|||
| users | False | [ object ] | A Set object containing TrafficEntry objects. A TrafficEntry object represents a User/Group of an Active Directory(AD). | |||
| embeddedAppFilter | False | object | An optional EmbeddedAppFilter object. Providing an object will make the rule be applied only to traffic matching provided app filter's condition(s). | |||
| urlFilter | False | object | An optional EmbeddedURLFilter object. Providing an object will make the rule be applied only to traffic matching provided url filter's condition(s). | |||
| intrusionPolicy | False | object |
An optional
IntrusionPolicy
object. Specify an
IntrusionPolicy
object if you would like the traffic passing through the rule be inspected by the IP object.
Field level constraints: requires threat license. (Note: Additional constraints might exist) Allowed types are: [ IntrusionPolicy ] |
|||
| filePolicy | False | object |
An optional
FilePolicy
object. Providing an object will make the rul be applied only to traffic matching the provided file policy's condition(s).
Allowed types are: [ FilePolicy ] |
|||
| logFiles | False | boolean | An optional Boolean object. Logs files matching to the current rule if set to true. Default option is false | |||
| syslogServer | False | object |
An optional
SyslogServer
object. Specify a syslog server if you want a copy of events matching the current rule to be sent to an external syslog server.
Allowed types are: [ SyslogServer ] |
|||
| hitCount | False | object | Hit count for a rule | |||
| destinationDynamicObjects | False | [ object ] |
An optional set of DynamicObject objects to match for destination traffic criteria.
Allowed types are: [ SGTDynamicObject ] |
|||
| sourceDynamicObjects | False | [ object ] |
An optional set of DynamicObject objects to match for source traffic criteria.
Allowed types are: [ SGTDynamicObject ] |
|||
| timeRangeObjects | False | [ object ] |
An Optional TimeRange Object that specifies a time range
Allowed types are: [ TimeRangeObject ] |
|||
| type | True | string | A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name. | |||
Path Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| parentId | True | string | ||||
Query Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| at | False | integer | An integer representing where to add the new object in the ordered list. Use 0 to add it at the beginning of the list. If not specified, it will be added at the end of the list | |||
Example
- name: Execute 'addAccessRule' operation
ftd_configuration:
operation: "addAccessRule"
data:
name: "{{ name }}"
sourceZones: "{{ source_zones }}"
destinationZones: "{{ destination_zones }}"
sourceNetworks: "{{ source_networks }}"
destinationNetworks: "{{ destination_networks }}"
sourcePorts: "{{ source_ports }}"
destinationPorts: "{{ destination_ports }}"
rulePosition: "{{ rule_position }}"
ruleAction: "{{ rule_action }}"
eventLogAction: "{{ event_log_action }}"
identitySources: "{{ identity_sources }}"
users: "{{ users }}"
embeddedAppFilter: "{{ embedded_app_filter }}"
urlFilter: "{{ url_filter }}"
intrusionPolicy: "{{ intrusion_policy }}"
filePolicy: "{{ file_policy }}"
logFiles: "{{ log_files }}"
syslogServer: "{{ syslog_server }}"
hitCount: "{{ hit_count }}"
destinationDynamicObjects: "{{ destination_dynamic_objects }}"
sourceDynamicObjects: "{{ source_dynamic_objects }}"
timeRangeObjects: "{{ time_range_objects }}"
type: "{{ type }}"
path_params:
parentId: "{{ parent_id }}"
query_params:
at: "{{ at }}"