AccessRule
Description
An object containing an access control rule which is an entry in the access-control policy or rule-container table. (Note: The field level constraints listed here might not cover all the constraints on the field. Additional constraints might exist.)
Supported Operations
Model Properties
| Property | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| version | False | string | A unique string version assigned by the system when the object is created or modified. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete an existing object. As the version will change every time the object is modified, the value provided in this identifier must match exactly what is present in the system or the request will be rejected. | |||
| name | True | string | A String object containing the name of the FTDRulebase object. The string can be upto a maximum of 128 characters | |||
| ruleId | False | integer | A non editable Long object which holds the rule ID number of the FTDRulebase object. It is created by the system in the POST request, and the same value must be included in the PUT request. | |||
| sourceZones | False | [object] | A Set of ZoneBase objects considered as a source zone. Allowed types are: [SecurityZone, TunnelZone] |
|||
| destinationZones | False | [object] | A Set of ZoneBase objects considered considered as a destination zone. Allowed types are: [SecurityZone, TunnelZone] |
|||
| sourceNetworks | False | [object] | A Set of Network objects considered as a source network. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
|||
| destinationNetworks | False | [object] | A Set of Network objects considered as a destination network. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
|||
| sourcePorts | False | [object] | A Set of PortObjectBase objects considered as a source port. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, PortObjectGroup, ProtocolObject, TCPPortObject, UDPPortObject] |
|||
| destinationPorts | False | [object] | A Set of PortObjectBase objects considered as a destination port. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, PortObjectGroup, ProtocolObject, TCPPortObject, UDPPortObject] |
|||
| rulePosition | False | integer | Transient field holding the index position for the rule | |||
| ruleAction | False | string | A mandatory AcRuleAction object that defines the Access Control Rule action. Possible values are: PERMIT TRUST DENY |
|||
| eventLogAction | False | string | A mandatory EventLogAction object that defines the logging options for the rule. Possible values are: LOG_FLOW_START: (Not supported) LOG_FLOW_END: Log at the end of connection LOG_BOTH: Log at the beginning and end of connection LOG_NONE: Do not log connection |
|||
| identitySources | False | [object] | A Set object containing TrafficIdentity objects. A TrafficIdentity object represents an ActiveDirectoryRealm or LocalIdentitySource Allowed types are: [ActiveDirectoryRealm, LDAPRealm, LocalIdentitySource, SpecialRealm, User] |
|||
| users | False | [object] | A Set object containing TrafficEntry objects. A TrafficEntry object represents a User/Group of an Active Directory(AD). | |||
| embeddedAppFilter | False | object | An optional EmbeddedAppFilter object. Providing an object will make the rule be applied only to traffic matching provided app filter's condition(s). | |||
| urlFilter | False | object | An optional EmbeddedURLFilter object. Providing an object will make the rule be applied only to traffic matching provided url filter's condition(s). | |||
| intrusionPolicy | False | object | An optional IntrusionPolicy object. Specify an IntrusionPolicy object if you would like the traffic passing through the rule be inspected by the IP object. Field level constraints: requires threat license. (Note: Additional constraints might exist) Allowed types are: [IntrusionPolicy] |
|||
| filePolicy | False | object | An optional FilePolicy object. Providing an object will make the rul be applied only to traffic matching the provided file policy's condition(s). Allowed types are: [FilePolicy] |
|||
| logFiles | False | boolean | An optional Boolean object. Logs files matching to the current rule if set to true. Default option is false | |||
| syslogServer | False | object | An optional SyslogServer object. Specify a syslog server if you want a copy of events matching the current rule to be sent to an external syslog server. Allowed types are: [SyslogServer] |
|||
| hitCount | False | object | Hit count for a rule | |||
| destinationDynamicObjects | False | [object] | An optional set of DynamicObject objects to match for destination traffic criteria. Allowed types are: [SGTDynamicObject] |
|||
| sourceDynamicObjects | False | [object] | An optional set of DynamicObject objects to match for source traffic criteria. Allowed types are: [SGTDynamicObject] |
|||
| timeRangeObjects | False | [object] | An Optional TimeRange Object that specifies a time range Allowed types are: [TimeRangeObject] |
|||
| id | False | string | A unique string identifier assigned by the system when the object is created. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete (or reference) an existing object. Field level constraints: must match pattern ^((?!;).)*$. (Note: Additional constraints might exist) |
|||
| type | True | string | A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name. | |||