addAccessRule
The addAccessRule operation handles configuration related to AccessRule model.
Description
This API call is not allowed on the standby unit in an HA pair.
Data Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| name | True | string | A String object containing the name of the FTDRulebase object. The string can be upto a maximum of 128 characters | |||
| sourceZones | False | [object] | A Set of ZoneBase objects considered as a source zone. Allowed types are: [SecurityZone, TunnelZone] |
|||
| destinationZones | False | [object] | A Set of ZoneBase objects considered considered as a destination zone. Allowed types are: [SecurityZone, TunnelZone] |
|||
| sourceNetworks | False | [object] | A Set of Network objects considered as a source network. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
|||
| destinationNetworks | False | [object] | A Set of Network objects considered as a destination network. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
|||
| sourcePorts | False | [object] | A Set of PortObjectBase objects considered as a source port. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, PortObjectGroup, ProtocolObject, TCPPortObject, UDPPortObject] |
|||
| destinationPorts | False | [object] | A Set of PortObjectBase objects considered as a destination port. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, PortObjectGroup, ProtocolObject, TCPPortObject, UDPPortObject] |
|||
| rulePosition | False | integer | Transient field holding the index position for the rule | |||
| ruleAction | False | string | A mandatory AcRuleAction object that defines the Access Control Rule action. Possible values are: PERMIT TRUST DENY |
|||
| eventLogAction | False | string | A mandatory EventLogAction object that defines the logging options for the rule. Possible values are: LOG_FLOW_START: (Not supported) LOG_FLOW_END: Log at the end of connection LOG_BOTH: Log at the beginning and end of connection LOG_NONE: Do not log connection |
|||
| identitySources | False | [object] | A Set object containing TrafficIdentity objects. A TrafficIdentity object represents an ActiveDirectoryRealm or LocalIdentitySource Allowed types are: [ActiveDirectoryRealm, LDAPRealm, LocalIdentitySource, SpecialRealm, User] |
|||
| users | False | [object] | A Set object containing TrafficEntry objects. A TrafficEntry object represents a User/Group of an Active Directory(AD). | |||
| embeddedAppFilter | False | object | An optional EmbeddedAppFilter object. Providing an object will make the rule be applied only to traffic matching provided app filter's condition(s). | |||
| urlFilter | False | object | An optional EmbeddedURLFilter object. Providing an object will make the rule be applied only to traffic matching provided url filter's condition(s). | |||
| intrusionPolicy | False | object | An optional IntrusionPolicy object. Specify an IntrusionPolicy object if you would like the traffic passing through the rule be inspected by the IP object. Field level constraints: requires threat license. (Note: Additional constraints might exist) Allowed types are: [IntrusionPolicy] |
|||
| filePolicy | False | object | An optional FilePolicy object. Providing an object will make the rul be applied only to traffic matching the provided file policy's condition(s). Allowed types are: [FilePolicy] |
|||
| logFiles | False | boolean | An optional Boolean object. Logs files matching to the current rule if set to true. Default option is false | |||
| syslogServer | False | object | An optional SyslogServer object. Specify a syslog server if you want a copy of events matching the current rule to be sent to an external syslog server. Allowed types are: [SyslogServer] |
|||
| hitCount | False | object | Hit count for a rule | |||
| destinationDynamicObjects | False | [object] | An optional set of DynamicObject objects to match for destination traffic criteria. Allowed types are: [SGTDynamicObject] |
|||
| sourceDynamicObjects | False | [object] | An optional set of DynamicObject objects to match for source traffic criteria. Allowed types are: [SGTDynamicObject] |
|||
| timeRangeObjects | False | [object] | An Optional TimeRange Object that specifies a time range Allowed types are: [TimeRangeObject] |
|||
| type | True | string | A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name. | |||
Path Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| parentId | True | string | ||||
Query Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| at | False | integer | An integer representing where to add the new object in the ordered list. Use 0 to add it at the beginning of the list. If not specified, it will be added at the end of the list | |||
Example
- name: Execute 'addAccessRule' operation
ftd_configuration:
operation: "addAccessRule"
data:
name: "{{ name }}"
sourceZones: "{{ source_zones }}"
destinationZones: "{{ destination_zones }}"
sourceNetworks: "{{ source_networks }}"
destinationNetworks: "{{ destination_networks }}"
sourcePorts: "{{ source_ports }}"
destinationPorts: "{{ destination_ports }}"
rulePosition: "{{ rule_position }}"
ruleAction: "{{ rule_action }}"
eventLogAction: "{{ event_log_action }}"
identitySources: "{{ identity_sources }}"
users: "{{ users }}"
embeddedAppFilter: "{{ embedded_app_filter }}"
urlFilter: "{{ url_filter }}"
intrusionPolicy: "{{ intrusion_policy }}"
filePolicy: "{{ file_policy }}"
logFiles: "{{ log_files }}"
syslogServer: "{{ syslog_server }}"
hitCount: "{{ hit_count }}"
destinationDynamicObjects: "{{ destination_dynamic_objects }}"
sourceDynamicObjects: "{{ source_dynamic_objects }}"
timeRangeObjects: "{{ time_range_objects }}"
type: "{{ type }}"
path_params:
parentId: "{{ parent_id }}"
query_params:
at: "{{ at }}"