editSSLRule

The editSSLRule operation handles configuration related to SSLRule model. 

Description

This API call is not allowed on the standby unit in an HA pair.

Data Parameters

Parameter Required Type Description
version False string A unique string version assigned by the system when the object is created or modified. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete an existing object. As the version will change every time the object is modified, the value provided in this identifier must match exactly what is present in the system or the request will be rejected.
name True string A String object containing the name of the FTDRulebase object. The string can be upto a maximum of 128 characters
ruleId False integer A non editable Long object which holds the rule ID number of the FTDRulebase object. It is created by the system in the POST request, and the same value must be included in the PUT request.
sourceZones False [object] A Set of ZoneBase objects considered as a source zone.
Allowed types are: [SecurityZone, TunnelZone]
destinationZones False [object] A Set of ZoneBase objects considered considered as a destination zone.
Allowed types are: [SecurityZone, TunnelZone]
sourceNetworks False [object] A Set of Network objects considered as a source network.
Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup]
destinationNetworks False [object] A Set of Network objects considered as a destination network.
Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup]
sourcePorts False [object] A Set of PortObjectBase objects considered as a source port.
Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, PortObjectGroup, ProtocolObject, TCPPortObject, UDPPortObject]
destinationPorts False [object] A Set of PortObjectBase objects considered as a destination port.
Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, PortObjectGroup, ProtocolObject, TCPPortObject, UDPPortObject]
rulePosition False integer Transient field holding the index position for the rule
ruleAction False string An enum that specifies the SSL Rule action. Possible values are:
DECRYPT_RE_SIGN - Decrypt the traffic, then resign and re-encrypt the content using the configured decryption CA certificate in SSLPolicy.
DECRYPT_KNOWN_KEY - Decrypt the traffic going to a host using a known certificate and key. To use known key decryption, you must add the server's certificate and key to the list of known-key certificates in SSLPolicy.
DO_NOT_DECRYPT - Do not decrypt the traffic. Encrypted connections are subsequently evaluated by the access control policy, which determines the ultimate allow or block decision.
BLOCK - Drop the connection immediately. The connection is not passed on to the access control policy.
eventLogAction False string A mandatory EventLogActionSSL object that defines the logging options for the rule.
identitySources False [object] An optional list of TrafficIdentity objects that define traffic matching criteria based on the user or user group that initiated the connection (the source). You must implement an identity policy to use this matching criteria.
Allowed types are: [ActiveDirectoryRealm, LDAPRealm, LocalIdentitySource, SpecialRealm, User]
users False [object] An optional list of TrafficEntry objects that define traffic matching criteria based on the user or user group that initiated the connection (the source). You must implement an identity policy to use this matching criteria.
embeddedAppFilter False object An optional EmbeddedAppFilter object that defines traffic matching criteria based on application filtering criteria. The object must include SSL-enabled applications only, that is, applications tagged as SSL Protocol.
urlCategories False [object] A list of URLCategoryMatcher objects for rule to filter on
Field level constraints: requires URL license. (Note: Additional constraints might exist)
subjectDNs False [object] A list of DistinguishedNameBase objects to filter on based on presented server certificate subject DN field
Allowed types are: [DistinguishedName, DistinguishedNameGroup]
issuerDNs False [object] A list of DistinguishedNameBase objects to filter on based on presented server certificate issuer DN field
Allowed types are: [DistinguishedName, DistinguishedNameGroup]
certificateStatus True object A CertificateStatus object that defines filtering based on server certificate validity
Field level constraints: cannot be null. (Note: Additional constraints might exist)
syslogServer False object An optional SyslogServer object. Specify a syslog server if you want a copy of events to be sent to an external syslog server.
Allowed types are: [SyslogServer]
sslv3 True boolean A Boolean value, TRUE (the default) or FALSE. The TRUE value indicates the rule can be applied to SSL v3 traffic. At least one version of SSL/TLS must be set to TRUE.
Field level constraints: cannot be null. (Note: Additional constraints might exist)
tls10 True boolean A Boolean value, TRUE (the default) or FALSE. The TRUE value indicates the rule can be applied to TLS v1.0 traffic. At least one version of SSL/TLS must be set to TRUE.
Field level constraints: cannot be null. (Note: Additional constraints might exist)
tls11 True boolean A Boolean value, TRUE (the default) or FALSE. The TRUE value indicates the rule can be applied to TLS v1.1 traffic. At least one version of SSL/TLS must be set to TRUE.
Field level constraints: cannot be null. (Note: Additional constraints might exist)
tls12 True boolean A Boolean value, TRUE (the default) or FALSE. The TRUE value indicates the rule can be applied to TLS v1.2 traffic. At least one version of SSL/TLS must be set to TRUE.
Field level constraints: cannot be null. (Note: Additional constraints might exist)
id False string A unique string identifier assigned by the system when the object is created. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete (or reference) an existing object.
Field level constraints: must match pattern ^((?!;).)*$. (Note: Additional constraints might exist)
type True string A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name.

Path Parameters

Parameter Required Type Description
parentId True string
objId True string

Query Parameters

Parameter Required Type Description
at False integer An integer representing where to add the new object in the ordered list. Use 0 to add it at the beginning of the list. If not specified, it will be added at the end of the list

Example

- name: Execute 'editSSLRule' operation
  ftd_configuration:
    operation: "editSSLRule"
    data:
        version: "{{ version }}"
        name: "{{ name }}"
        ruleId: "{{ rule_id }}"
        sourceZones: "{{ source_zones }}"
        destinationZones: "{{ destination_zones }}"
        sourceNetworks: "{{ source_networks }}"
        destinationNetworks: "{{ destination_networks }}"
        sourcePorts: "{{ source_ports }}"
        destinationPorts: "{{ destination_ports }}"
        rulePosition: "{{ rule_position }}"
        ruleAction: "{{ rule_action }}"
        eventLogAction: "{{ event_log_action }}"
        identitySources: "{{ identity_sources }}"
        users: "{{ users }}"
        embeddedAppFilter: "{{ embedded_app_filter }}"
        urlCategories: "{{ url_categories }}"
        subjectDNs: "{{ subject_d_ns }}"
        issuerDNs: "{{ issuer_d_ns }}"
        certificateStatus: "{{ certificate_status }}"
        syslogServer: "{{ syslog_server }}"
        sslv3: "{{ sslv3 }}"
        tls10: "{{ tls10 }}"
        tls11: "{{ tls11 }}"
        tls12: "{{ tls12 }}"
        id: "{{ id }}"
        type: "{{ type }}"
    path_params:
        parentId: "{{ parent_id }}"
        objId: "{{ obj_id }}"
    query_params:
        at: "{{ at }}"