upsertAccessRule
The upsertAccessRule operation handles configuration related to AccessRule model.
Data Parameters
| Parameter | Required | Type | Description | ||
|---|---|---|---|---|---|
| version | False | string | A unique string version assigned by the system when the object is created or modified. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete an existing object. As the version will change every time the object is modified, the value provided in this identifier must match exactly what is present in the system or the request will be rejected. | ||
| name | False | string | A String object containing the name of the FTDRulebase object. The string can be upto a maximum of 128 characters Field level constraints: cannot be null, length must be between 0 and 128 (inclusive), cannot have HTML, must match pattern (^[a-zA-Z0-9]$)|(^[a-zA-Z0-9][ a-zA-Z0-9.+-]*[a-zA-Z0-9.+-]$). (Note: Additional constraints might exist) |
||
| ruleId | False | integer | A Long object which holds the rule ID number of the FTDRulebase object. | ||
| sourceZones | False | [object] | A Set of ZoneBase objects considered as a source zone. Allowed types are: [SecurityZone, TunnelZone] |
||
| destinationZones | False | [object] | A Set of ZoneBase objects considered considered as a destination zone. Allowed types are: [SecurityZone, TunnelZone] |
||
| sourceNetworks | False | [object] | A Set of Network objects considered as a source network. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
||
| destinationNetworks | False | [object] | A Set of Network objects considered as a destination network. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
||
| sourcePorts | False | [object] | A Set of PortObjectBase objects considered as a source port. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, ProtocolObject, TCPPortObject, UDPPortObject, PortObjectGroup] |
||
| destinationPorts | False | [object] | A Set of PortObjectBase objects considered as a destination port. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, ProtocolObject, TCPPortObject, UDPPortObject, PortObjectGroup] |
||
| ruleAction | False | string | A mandatory AcRuleAction object that defines the Access Control Rule action. Possible values are: PERMIT TRUST DENY |
||
| eventLogAction | False | string | A mandatory EventLogAction object that defines the logging options for the rule. | ||
| vlanTags | False | [object] | A Set object of VlanTags associated with the rule. Allowed types are: [VlanTag, VlanTagGroup] |
||
| users | False | [object] | A Set object containing TrafficIdentity objects. A TrafficIdentity object represents a User/Group of an Active Directory(AD). Allowed types are: [LDAPRealm, ActiveDirectoryRealm, SpecialRealm, TrafficUser, TrafficUserGroup] |
||
| embeddedAppFilter | False | object | An optional EmbeddedAppFilter object. Providing an object will make the rule be applied only to traffic matching provided app filter's condition(s). | ||
| urlFilter | False | object | An optional EmbeddedURLFilter object. Providing an object will make the rule be applied only to traffic matching provided url filter's condition(s). | ||
| intrusionPolicy | False | object | An optional IntrusionPolicy object. Specify an IntrusionPolicy object if you would like the traffic passing through the rule be inspected by the IP object. Field level constraints: requires threat license. (Note: Additional constraints might exist) Allowed types are: [IntrusionPolicy] |
||
| filePolicy | False | object | An optional FilePolicy object. Providing an object will make the rul be applied only to traffic matching the provided file policy's condition(s). Field level constraints: requires malware license. (Note: Additional constraints might exist) Allowed types are: [FilePolicy] |
||
| logFiles | False | boolean | An optional Boolean object. Logs files matching to the current rule if set to true. Default option is false | ||
| syslogServer | False | object | An optional SyslogServer object. Specify a syslog server if you want a copy of events matching the current rule to be sent to an external syslog server. Allowed types are: [SyslogServer] |
||
| id | False | string | A unique string identifier assigned by the system when the object is created. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete (or reference) an existing object. Field level constraints: must match pattern ^((?!;).)*$, cannot have HTML. (Note: Additional constraints might exist) |
||
| type | False | string | A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name. | ||
Path Parameters
| Parameter | Required | Type | Description | ||
|---|---|---|---|---|---|
| parentId | True | string | |||
Query Parameters
| Parameter | Required | Type | Description | ||
|---|---|---|---|---|---|
| at | False | integer | |||
| filter | False | string | Default filtering for Upsert operation is done by name. | ||
Example
- name: Execute 'upsertAccessRule' operation
ftd_configuration:
operation: "upsertAccessRule"
data:
version: "{{ version }}"
name: "{{ name }}"
ruleId: "{{ rule_id }}"
sourceZones: "{{ source_zones }}"
destinationZones: "{{ destination_zones }}"
sourceNetworks: "{{ source_networks }}"
destinationNetworks: "{{ destination_networks }}"
sourcePorts: "{{ source_ports }}"
destinationPorts: "{{ destination_ports }}"
ruleAction: "{{ rule_action }}"
eventLogAction: "{{ event_log_action }}"
vlanTags: "{{ vlan_tags }}"
users: "{{ users }}"
embeddedAppFilter: "{{ embedded_app_filter }}"
urlFilter: "{{ url_filter }}"
intrusionPolicy: "{{ intrusion_policy }}"
filePolicy: "{{ file_policy }}"
logFiles: "{{ log_files }}"
syslogServer: "{{ syslog_server }}"
id: "{{ id }}"
type: "{{ type }}"
path_params:
parentId: "{{ parent_id }}"
query_params:
at: "{{ at }}"
filter: "{{ filter }}"