Description
The addAccessRule operation handles configuration related to AccessRule model.
This API call is not allowed on the standby unit in an HA pair.
HTTP request
POST /api/fdm/v6/policy/accesspolicies/{parentId}/accessrulesData Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| name | True | string | A String object containing the name of the FTDRulebase object. The string can be upto a maximum of 128 characters | |||
| sourceZones | False | [object] | A Set of ZoneBase objects considered as a source zone. Allowed types are: [SecurityZone, TunnelZone] |
|||
| destinationZones | False | [object] | A Set of ZoneBase objects considered considered as a destination zone. Allowed types are: [SecurityZone, TunnelZone] |
|||
| sourceNetworks | False | [object] | A Set of Network objects considered as a source network. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
|||
| destinationNetworks | False | [object] | A Set of Network objects considered as a destination network. Allowed types are: [Continent, Country, GeoLocation, NetworkObject, NetworkObjectGroup] |
|||
| sourcePorts | False | [object] | A Set of PortObjectBase objects considered as a source port. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, PortObjectGroup, ProtocolObject, TCPPortObject, UDPPortObject] |
|||
| destinationPorts | False | [object] | A Set of PortObjectBase objects considered as a destination port. Allowed types are: [ICMPv4PortObject, ICMPv6PortObject, PortObjectGroup, ProtocolObject, TCPPortObject, UDPPortObject] |
|||
| rulePosition | False | integer | Transient field holding the index position for the rule | |||
| ruleAction | False | string | A mandatory AcRuleAction object that defines the Access Control Rule action. Possible values are: PERMIT TRUST DENY |
|||
| eventLogAction | False | string | A mandatory EventLogAction object that defines the logging options for the rule. Possible values are: LOG_FLOW_START: (Not supported) LOG_FLOW_END: Log at the end of connection LOG_BOTH: Log at the beginning and end of connection LOG_NONE: Do not log connection |
|||
| identitySources | False | [object] | A Set object containing TrafficIdentity objects. A TrafficIdentity object represents an ActiveDirectoryRealm or LocalIdentitySource Allowed types are: [ActiveDirectoryRealm, LDAPRealm, LocalIdentitySource, SpecialRealm, User] |
|||
| users | False | [object] | A Set object containing TrafficEntry objects. A TrafficEntry object represents a User/Group of an Active Directory(AD). | |||
| embeddedAppFilter | False | object | An optional EmbeddedAppFilter object. Providing an object will make the rule be applied only to traffic matching provided app filter's condition(s). | |||
| urlFilter | False | object | An optional EmbeddedURLFilter object. Providing an object will make the rule be applied only to traffic matching provided url filter's condition(s). | |||
| intrusionPolicy | False | object | An optional IntrusionPolicy object. Specify an IntrusionPolicy object if you would like the traffic passing through the rule be inspected by the IP object. Field level constraints: requires threat license. (Note: Additional constraints might exist) Allowed types are: [IntrusionPolicy] |
|||
| filePolicy | False | object | An optional FilePolicy object. Providing an object will make the rul be applied only to traffic matching the provided file policy's condition(s). Allowed types are: [FilePolicy] |
|||
| logFiles | False | boolean | An optional Boolean object. Logs files matching to the current rule if set to true. Default option is false | |||
| syslogServer | False | object | An optional SyslogServer object. Specify a syslog server if you want a copy of events matching the current rule to be sent to an external syslog server. Allowed types are: [SyslogServer] |
|||
| hitCount | False | object | Hit count for a rule | |||
| destinationDynamicObjects | False | [object] | An optional set of DynamicObject objects to match for destination traffic criteria. Allowed types are: [SGTDynamicObject] |
|||
| sourceDynamicObjects | False | [object] | An optional set of DynamicObject objects to match for source traffic criteria. Allowed types are: [SGTDynamicObject] |
|||
| timeRangeObjects | False | [object] | An Optional TimeRange Object that specifies a time range Allowed types are: [TimeRangeObject] |
|||
| type | True | string | A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name. | |||
Path Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| parentId | True | string | ||||
Query Parameters
| Parameter | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| at | False | integer | An integer representing where to add the new object in the ordered list. Use 0 to add it at the beginning of the list. If not specified, it will be added at the end of the list | |||
Example
curl -X POST \
--header "Accept: application/json" \
--header "Authorization: Bearer ${ACCESS_TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"destinationDynamicObjects": [],
"destinationNetworks": [],
"destinationPorts": [],
"destinationZones": [],
"embeddedAppFilter": {
"applicationFilters": [],
"applications": [],
"conditions": [],
"type": "embeddedappfilter"
},
"eventLogAction": "LOG_FLOW_START",
"filePolicy": {
"id": "string",
"name": "string",
"type": "string",
"version": "string"
},
"hitCount": {
"firstHitTimeStamp": "string",
"hitCount": 0,
"lastFetchTimeStamp": "string",
"lastHitTimeStamp": "string",
"rule": {
"id": "string",
"name": "string",
"ruleId": 0,
"type": "accessruleinfo"
},
"type": "HitCount"
},
"id": "string",
"identitySources": [],
"intrusionPolicy": {
"id": "string",
"name": "string",
"type": "string",
"version": "string"
},
"logFiles": true,
"name": "string",
"ruleAction": "PERMIT",
"ruleId": 0,
"rulePosition": 0,
"sourceDynamicObjects": [],
"sourceNetworks": [],
"sourcePorts": [],
"sourceZones": [],
"syslogServer": {
"id": "string",
"name": "string",
"type": "string",
"version": "string"
},
"timeRangeObjects": [],
"type": "accessrule",
"urlFilter": {
"type": "embeddedurlfilter",
"urlCategories": [],
"urlObjects": []
},
"users": [],
"version": "string"
}' \
"https://${HOST}:${PORT}/api/fdm/v6/policy/accesspolicies/{parentId}/accessrules"from bravado.requests_client import RequestsClient
from bravado.client import SwaggerClient
def get_client(host, token):
http_client = RequestsClient()
http_client.ssl_verify = False
http_client.set_api_key(
host,
"Bearer {}".format(token),
param_name="Authorization",
param_in="header"
)
return SwaggerClient.from_url(
"https://{}/apispec/ngfw.json".format(host),
http_client=http_client,
config={
"validate_responses": False,
"validate_swagger_spec": False
}
)
def add_access_rule(client, parent_id, body):
return client.AccessPolicy.addAccessRule(
parentId=parent_id,
body=body
).response().result
if __name__ == "__main__":
host = "ftd.example.com"
token = "access_token"
client = get_client(host, token)
parent_id = "string"
body = {'destinationDynamicObjects': [],
'destinationNetworks': [],
'destinationPorts': [],
'destinationZones': [],
'embeddedAppFilter': {'applicationFilters': [],
'applications': [],
'conditions': [],
'type': 'embeddedappfilter'},
'eventLogAction': 'LOG_FLOW_START',
'filePolicy': {'id': 'string',
'name': 'string',
'type': 'string',
'version': 'string'},
'hitCount': {'firstHitTimeStamp': 'string',
'hitCount': 0,
'lastFetchTimeStamp': 'string',
'lastHitTimeStamp': 'string',
'rule': {'id': 'string',
'name': 'string',
'ruleId': 0,
'type': 'accessruleinfo'},
'type': 'HitCount'},
'identitySources': [],
'intrusionPolicy': {'id': 'string',
'name': 'string',
'type': 'string',
'version': 'string'},
'logFiles': True,
'name': 'string',
'ruleAction': 'PERMIT',
'rulePosition': 0,
'sourceDynamicObjects': [],
'sourceNetworks': [],
'sourcePorts': [],
'sourceZones': [],
'syslogServer': {'id': 'string',
'name': 'string',
'type': 'string',
'version': 'string'},
'timeRangeObjects': [],
'type': 'accessrule',
'urlFilter': {'type': 'embeddedurlfilter',
'urlCategories': [],
'urlObjects': []},
'users': []}
add_access_rule(client, parent_id, body)