upsertSSLRule
The upsertSSLRule operation handles configuration related to SSLRule model.
Data Parameters
| Parameter | Required | Type | Description | ||
|---|---|---|---|---|---|
| version | False | string | A unique string version assigned by the system when the object is created or modified. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete an existing object. As the version will change every time the object is modified, the value provided in this identifier must match exactly what is present in the system or the request will be rejected. | ||
| name | False | string | A String object containing the name of the FTDRulebase object. The string can be upto a maximum of 128 characters Field level constraints: cannot be null, length must be between 0 and 128 (inclusive), cannot have HTML, must match pattern (^[a-zA-Z0-9]$)|(^[a-zA-Z0-9][ a-zA-Z0-9.+-]*[a-zA-Z0-9.+-]$). (Note: Additional constraints might exist) |
||
| ruleId | False | integer | A Long object which holds the rule ID number of the FTDRulebase object. | ||
| sourceZones | False | [object] | A Set of ZoneBase objects considered as a source zone. Allowed types are: [SecurityZone, TunnelZone] |
||
| destinationZones | False | [object] | A Set of ZoneBase objects considered considered as a destination zone. Allowed types are: [SecurityZone, TunnelZone] |
||
| sourceNetworks | False | [object] | A Set of Network objects considered as a source network. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
||
| destinationNetworks | False | [object] | A Set of Network objects considered as a destination network. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
||
| sourcePorts | False | [object] | A Set of PortObjectBase objects considered as a source port. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, ProtocolObject, TCPPortObject, UDPPortObject, PortObjectGroup] |
||
| destinationPorts | False | [object] | A Set of PortObjectBase objects considered as a destination port. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, ProtocolObject, TCPPortObject, UDPPortObject, PortObjectGroup] |
||
| ruleAction | False | string | An enum that specifies the SSL Rule action. Possible values are: DECRYPT_RE_SIGN - Decrypt the traffic, then resign and re-encrypt the content using the configured decryption CA certificate in SSLPolicy. DECRYPT_KNOWN_KEY - Decrypt the traffic going to a host using a known certificate and key. To use known key decryption, you must add the server's certificate and key to the list of known-key certificates in SSLPolicy. DO_NOT_DECRYPT - Do not decrypt the traffic. Encrypted connections are subsequently evaluated by the access control policy, which determines the ultimate allow or block decision. BLOCK - Drop the connection immediately. The connection is not passed on to the access control policy. |
||
| eventLogAction | False | string | A mandatory EventLogActionSSL object that defines the logging options for the rule. | ||
| users | False | [object] | An optional list of TrafficIdentity objects that define traffic matching criteria based on the user or user group that initiated the connection (the source). You must implement an identity policy to use this matching criteria. Allowed types are: [LDAPRealm, ActiveDirectoryRealm, SpecialRealm, TrafficUser, TrafficUserGroup] |
||
| embeddedAppFilter | False | object | An optional EmbeddedAppFilter object that defines traffic matching criteria based on application filtering criteria. The object must include SSL-enabled applications only, that is, applications tagged as SSL Protocol. | ||
| urlCategories | False | [object] | A list of URLCategoryMatcher objects for rule to filter on Field level constraints: requires URL license. (Note: Additional constraints might exist) |
||
| subjectDNs | False | [object] | A list of DistinguishedNameBase objects to filter on based on presented server certificate subject DN field Allowed types are: [DistinguishedName, DistinguishedNameGroup] |
||
| issuerDNs | False | [object] | A list of DistinguishedNameBase objects to filter on based on presented server certificate issuer DN field Allowed types are: [DistinguishedName, DistinguishedNameGroup] |
||
| certificateStatus | False | object | A CertificateStatus object that defines filtering based on server certificate validity Field level constraints: cannot be null. (Note: Additional constraints might exist) |
||
| syslogServer | False | object | An optional SyslogServer object. Specify a syslog server if you want a copy of events to be sent to an external syslog server. Allowed types are: [SyslogServer] |
||
| sslv3 | False | boolean | A Boolean value, TRUE (the default) or FALSE. The TRUE value indicates the rule can be applied to SSL v3 traffic. At least one version of SSL/TLS must be set to TRUE. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
||
| tls10 | False | boolean | A Boolean value, TRUE (the default) or FALSE. The TRUE value indicates the rule can be applied to TLS v1.0 traffic. At least one version of SSL/TLS must be set to TRUE. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
||
| tls11 | False | boolean | A Boolean value, TRUE (the default) or FALSE. The TRUE value indicates the rule can be applied to TLS v1.1 traffic. At least one version of SSL/TLS must be set to TRUE. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
||
| tls12 | False | boolean | A Boolean value, TRUE (the default) or FALSE. The TRUE value indicates the rule can be applied to TLS v1.2 traffic. At least one version of SSL/TLS must be set to TRUE. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
||
| id | False | string | A unique string identifier assigned by the system when the object is created. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete (or reference) an existing object. Field level constraints: must match pattern ^((?!;).)*$, cannot have HTML. (Note: Additional constraints might exist) |
||
| type | False | string | A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name. | ||
Path Parameters
| Parameter | Required | Type | Description | ||
|---|---|---|---|---|---|
| parentId | True | string | |||
Query Parameters
| Parameter | Required | Type | Description | ||
|---|---|---|---|---|---|
| at | False | integer | |||
| filter | False | string | Default filtering for Upsert operation is done by name. | ||
Example
- name: Execute 'upsertSSLRule' operation
ftd_configuration:
operation: "upsertSSLRule"
data:
version: "{{ version }}"
name: "{{ name }}"
ruleId: "{{ rule_id }}"
sourceZones: "{{ source_zones }}"
destinationZones: "{{ destination_zones }}"
sourceNetworks: "{{ source_networks }}"
destinationNetworks: "{{ destination_networks }}"
sourcePorts: "{{ source_ports }}"
destinationPorts: "{{ destination_ports }}"
ruleAction: "{{ rule_action }}"
eventLogAction: "{{ event_log_action }}"
users: "{{ users }}"
embeddedAppFilter: "{{ embedded_app_filter }}"
urlCategories: "{{ url_categories }}"
subjectDNs: "{{ subject_d_ns }}"
issuerDNs: "{{ issuer_d_ns }}"
certificateStatus: "{{ certificate_status }}"
syslogServer: "{{ syslog_server }}"
sslv3: "{{ sslv3 }}"
tls10: "{{ tls10 }}"
tls11: "{{ tls11 }}"
tls12: "{{ tls12 }}"
id: "{{ id }}"
type: "{{ type }}"
path_params:
parentId: "{{ parent_id }}"
query_params:
at: "{{ at }}"
filter: "{{ filter }}"