upsertIdentityRule
The upsertIdentityRule operation handles configuration related to IdentityRule model.
Description
This API call is not allowed on the standby unit in an HA pair.
Data Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| version | False | string | A unique string version assigned by the system when the object is created or modified. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete an existing object. As the version will change every time the object is modified, the value provided in this identifier must match exactly what is present in the system or the request will be rejected. | |||
| name | True | string | A UTF string containing the name for the identity rule. The string can be up to 120 characters. | |||
| ruleId | False | integer | A unique ID across all Identity rules on a single device. | |||
| sourceZones | False | [object] | An optional list of security zones object containing interfaces to match through which the traffic is entering the device. Allowed types are: [SecurityZone, TunnelZone] |
|||
| destinationZones | False | [object] | An optional list of security zones objects containing interfaces to match through which the traffic is leaving the device from. Allowed types are: [SecurityZone, TunnelZone] |
|||
| sourceNetworks | False | [object] | An optional list of network objects or geographical locations that defines the network addresses or location to match through which the traffic is entering the device. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
|||
| destinationNetworks | False | [object] | An optional list of network objects or geographical locations that defines the network addresses or locations to match through which the traffic is leaving the device from. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
|||
| sourcePorts | False | [object] | An optional list of port objects that defines the protocols used to match through which the traffic is entering the device. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, PortObjectGroup, ProtocolObject, TCPPortObject, UDPPortObject] |
|||
| destinationPorts | False | [object] | An optional list of port objects that defines the protocols used to match through which the traffic is leaving the device from. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, PortObjectGroup, ProtocolObject, TCPPortObject, UDPPortObject] |
|||
| realm | False | object | A directory realm and server that contains the user accounts for the network, or a Realm Sequence object that contains an ordered list of realms. Allowed types are: [ActiveDirectoryRealm, LDAPRealm, RealmSequence, SpecialRealm] |
|||
| guestAccessFallback | False | boolean | A Boolean value, TRUE or FALSE. The TRUE value indicates to mark the users who fail authentication as Guest users. FALSE indicates the users failing authentication will be marked as Failed Authentication. | |||
| authType | False | string | An enum value that specifies active authentication method (type) supported by the directory server. Values can be one of the following. HTTP Basic - Authenticate users using an unencrypted HTTP Basic Authentication (BA) connection. This is the default. Users log in to the network using their browser's default authentication popup window. NTLM - Authenticate users using an NT LAN Manager (NTLM) connection. This setting is available only with AD realm. Users log in to the network using their browser's default authentication popup window, although you can configure IE and Firefox browsers to transparently authenticate using their Windows domain login. HTTP Negotiate - Allow the device to negotiate the method between the user agent (the application the user is using to initiate the traffic flow) and the Active Directory server. Negotiation results in the strongest commonly supported method being used, in order, NTLM, then basic. Users log in to the network using their browser's default authentication popup window. HTTP Response Page - Prompt users to authenticate using a system-provided web page. This is a form of HTTP Basic authentication. |
|||
| action | True | string | An enum value that specifies authentication action for directory servers. Values can be one of the following. ACTIVE - Use active authenticate to determine user identity and is applied to HTTP traffic only. PASSIVE - Use passive authentication to determine user identity. NO_AUTH - Do not obtain user identity. Identity-based access rules will not be applied to this traffic. These users are marked as No Authentication Required. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| enabled | False | boolean | A Boolean value, TRUE (the default) or FALSE. The TRUE value indicates that the rule is active. FALSE indicates the rule is not active and in use. | |||
| rulePosition | False | integer | Transient field holding the index position for the rule | |||
| id | False | string | A unique string identifier assigned by the system when the object is created. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete (or reference) an existing object. Field level constraints: must match pattern ^((?!;).)*$. (Note: Additional constraints might exist) |
|||
| type | True | string | A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name. | |||
Path Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| parentId | True | string | ||||
Query Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| at | False | integer | An integer representing where to add the new object in the ordered list. Use 0 to add it at the beginning of the list. If not specified, it will be added at the end of the list | |||
| filter | False | string | The criteria used to filter the models you are requesting. It should have the following format: {key}{operator}{value}[;{key}{operator}{value}]. Supported operators are: "!"(not equals), ":"(equals), "~"(similar). Supported keys are: "name", "fts". The "fts" filter cannot be used with other filters. Default filtering for Upsert operation is done by name. | |||
Example
- name: Execute 'upsertIdentityRule' operation
ftd_configuration:
operation: "upsertIdentityRule"
data:
version: "{{ version }}"
name: "{{ name }}"
ruleId: "{{ rule_id }}"
sourceZones: "{{ source_zones }}"
destinationZones: "{{ destination_zones }}"
sourceNetworks: "{{ source_networks }}"
destinationNetworks: "{{ destination_networks }}"
sourcePorts: "{{ source_ports }}"
destinationPorts: "{{ destination_ports }}"
realm: "{{ realm }}"
guestAccessFallback: "{{ guest_access_fallback }}"
authType: "{{ auth_type }}"
action: "{{ action }}"
enabled: "{{ enabled }}"
rulePosition: "{{ rule_position }}"
id: "{{ id }}"
type: "{{ type }}"
path_params:
parentId: "{{ parent_id }}"
query_params:
at: "{{ at }}"
filter: "{{ filter }}"