upsertIkevTwoPolicy
The upsertIkevTwoPolicy operation handles configuration related to IkevTwoPolicy model.
Description
This API call is not allowed on the standby unit in an HA pair.
Data Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| version | False | string | A unique string version assigned by the system when the object is created or modified. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete an existing object. As the version will change every time the object is modified, the value provided in this identifier must match exactly what is present in the system or the request will be rejected. | |||
| name | True | string | The name of the object, up to 128 characters. | |||
| enabled | True | boolean | A mandatory Boolean value, TRUE or FALSE (the default). The TRUE value enables the policy, which means remote peers can use it when negotiating a site-to-site VPN connection. FALSE indicates that although the policy is defined, remote peers cannot negotiate connections based on the policy. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| lifeTime | False | integer | An optional integer that defines the lifetime of the security association (SA), in seconds, from 120 to 2147483647, with the typical limit being 86400. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. Leave the option as null to specify no lifetime limit. | |||
| priority | True | integer | A required integer that determines the relative priority of the IKE policy, from 1 to 65535. The priority determines the order of the IKE policy compared by the two negotiating peers when attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters selected in your highest priority policy, it tries to use the parameters defined in the next lowest priority. The lower the number, the higher the priority. A given number is meaningful only in relation to the priority numbers defined on the other IKE policies. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| encryptionTypes | False | [object] | A list of enum values that specifies the encryption algorithm used to establish the Phase 1 security association (SA) for protecting Phase 2 negotiations. Specify all algorithms that you want to allow, although you cannot include both mixed-mode (AES-GCM) and normal mode options in the same policy. (Normal mode requires that you select an integrity hash, whereas mixed mode prohibits a separate integrity hash selection.) The system negotiates with the peer, starting from the strongest to the weakest algorithm, until a match is agreed upon. Possible values are, in order of strength: (unsupported) NULL - A null encryption algorithm provides authentication without encryption. This is typically used for testing purposes only. DES - Data Encryption Standard, which encrypts using 56-bit keys, is a symmetric secret-key block algorithm (unsupported when strong crypto license is enabled). (unsupported) THREE_DES - Triple DES, which encrypts three times using 56-bit keys. AES - Advanced Encryption Standard is a symmetric cipher algorithm. AES uses 128--bit keys. AES192 - An Advanced Encryption Standard algorithm that uses 192--bit keys. AES256 - An Advanced Encryption Standard algorithm that uses 256--bit keys. AES_GCM - Advanced Encryption Standard in Galois/Counter Mode is a block cipher mode of operation providing confidentiality and data-origin authentication. AES_GCM uses 128-bit keys. AES_GCM192 - An Advanced Encryption Standard in Galois/Counter Mode that uses 192-bit keys. AES_GCM256 - An Advanced Encryption Standard in Galois/Counter Mode that uses 256-bit keys. |
|||
| groupTypes | False | [object] | A list of enum values that specifies the Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Specify all algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest group, until a match is agreed upon. Possible values are: (unsupported) GROUP2 - 1024-bit modulus. (deprecated) GROUP5 - 1536-bit modulus. GROUP14 - 2048 bit modulus. GROUP19 - 256 bit elliptic curve. GROUP20 - 384 bit elliptic curve. GROUP21 - 521 bit elliptic curve. (unsupported) GROUP24 - 2048-bit modulus and 256-bit prime order subgroup. GROUP31 - 256-bit elliptic curve. |
|||
| integrityTypes | False | [object] | A list of enum values that specifies the integrity portion of the hash algorithm for creating a message digest, which is used to ensure message integrity. Select all algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest algorithm, until a match is agreed upon. The integrity hash is not used with the AES-GCM encryption options. Possible values are: NULL - A null hash algorithm. This is typically used for testing purposes only. However, you should choose the null integrity algorithm if you select one of the AES-GCM/GMAC options as the encryption algorithm. Even if you choose a non-null option, the integrity hash is ignored for these encryption standards. (unsupported) MD5 - The Message Digest 5 algorithm, which produces a 128-bit digest. SHA - The Secure Hash Algorithm, which produces a 160-bit digest. SHA256 - The Secure Hash Algorithm SHA 2 with a 256-bit digest. SHA384 - The Secure Hash Algorithm SHA 2 with a 384-bit digest. SHA512 - The Secure Hash Algorithm SHA 2 with a 512-bit digest. |
|||
| prfTypes | False | [object] | A list of enum values that specifies the pseudo-random function (PRF) portion of the hash algorithm, which is used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption. Select all algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest algorithm, until a match is agreed upon. Possible values are: (unsupported) MD5 - The Message Digest 5 algorithm, which produces a 128-bit digest. SHA - The Secure Hash Algorithm, which produces a 160-bit digest. SHA256 - The Secure Hash Algorithm SHA 2 with a 256-bit digest. SHA384 - The Secure Hash Algorithm SHA 2 with a 384-bit digest. SHA512 - The Secure Hash Algorithm SHA 2 with a 512-bit digest. |
|||
| cryptoRestricted | False | boolean | A system-provided Boolean value, TRUE or FALSE. The TRUE value indicates that the policy uses strong cryptography, which is controlled by export regulations. A device must be registered export-controlled functionality to use a strong encryption policy. | |||
| summaryLabel | False | string | A system-provided string that describes the IKE policy. | |||
| id | False | string | A unique string identifier assigned by the system when the object is created. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete (or reference) an existing object. Field level constraints: must match pattern ^((?!;).)*$. (Note: Additional constraints might exist) |
|||
| isSystemDefined | False | boolean | A Boolean value, TRUE or FALSE (the default). The TRUE value indicates that the system created the object. FALSE indicates that the object is user-defined. | |||
| type | True | string | A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name. | |||
Query Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| filter | False | string | The criteria used to filter the models you are requesting. It should have the following format: {key}{operator}{value}[;{key}{operator}{value}]. Supported operators are: "!"(not equals), ":"(equals), "~"(similar). Supported keys are: "name", "fts". The "fts" filter cannot be used with other filters. Default filtering for Upsert operation is done by name. | |||
Example
- name: Execute 'upsertIkevTwoPolicy' operation
ftd_configuration:
operation: "upsertIkevTwoPolicy"
data:
version: "{{ version }}"
name: "{{ name }}"
enabled: "{{ enabled }}"
lifeTime: "{{ life_time }}"
priority: "{{ priority }}"
encryptionTypes: "{{ encryption_types }}"
groupTypes: "{{ group_types }}"
integrityTypes: "{{ integrity_types }}"
prfTypes: "{{ prf_types }}"
cryptoRestricted: "{{ crypto_restricted }}"
summaryLabel: "{{ summary_label }}"
id: "{{ id }}"
isSystemDefined: "{{ is_system_defined }}"
type: "{{ type }}"
query_params:
filter: "{{ filter }}"