addFileRule - Firepower Threat Defense API v6.2 (FTD v7.2)

Description

The addFileRule operation handles configuration related to FileRule model.
This API call is not allowed on the standby unit in an HA pair.

HTTP request

POST /api/fdm/v6/policy/filepolicies/{parentId}/filerules

Data Parameters

Parameter	Required	Type	Description
name	True	string	Name of the File Policy Rule. It must match pattern (^[a-zA-Z0-9_]$)\|(^[a-zA-Z0-9_][ a-zA-Z0-9_.+-]*[a-zA-Z0-9_.+-]$). (Note: Additional constraints might exist)
rulePosition	False	integer	Transient field holding the index position for the rule
description	False	string	description of the rule Field level constraints: length must be between 0 and 128 (inclusive). (Note: Additional constraints might exist)
fileTypeCategories	False	[object]	A list of fileTypeCategory objects.The system can detect various types of files. These file types are grouped into basic categories, including multimedia (swf, mp3), executables (exe, torrent), and PDFs. You can configure file rules that detect individual file types, or on entire categories of file types. To get list of all file types category use 'GET /object/filetypecategories' API Allowed types are: [FileTypeCategory]
fileTypes	False	[object]	A list of fileType objects. The system can detect various types of files. You can configure file rules that detect individual file types and generate events for particular files. To get list of all file types use 'GET /object/filetypes' API Allowed types are: [FileType]
applicationProtocols	True	string	The system can detect and inspect files transmitted via FTP, HTTP, SMTP, IMAP, POP3, and NetBIOS-ssn (SMB). Any, the default, detects files in HTTP, SMTP, IMAP, POP3, FTP, and NetBIOS-ssn (SMB) traffic. To improve performance, you can restrict file detection to only one of those application protocols on a per-file rule basis Field level constraints: cannot be null. (Note: Additional constraints might exist)
malwareAnalysisOptions	False	[object]	An list of enum values that specifies the methods to use for file inspection and analysis, which determines whether a file contains malware. You can specify the following methods: SPERO, LOCAL_MALWARE_ANALYSIS
storeFiles	False	[object]	List of options from ALL,CLEAN,MALWARE,CUSTOM,UNKNOWN, based on malware analysis options
directionOfTransfer	True	string	An enum value that specifies the direction of file transfer for the files that should match this rule. Possible values are DOWNLOAD, UPLOAD and ANY. You can inspect incoming FTP, HTTP, IMAP, POP3, and NetBIOS-ssn (SMB) traffic for downloaded files, and outgoing FTP, HTTP, SMTP and NetBIOS-ssn (SMB) traffic for uploaded files. Field level constraints: cannot be null. (Note: Additional constraints might exist)
ruleAction	True	string	An enum value that defines the action to apply to files that match this rule. Possible values are: DETECT_FILES, BLOCK_FILES, MALWARE_CLOUD_LOOKUP, MALWARE_BLOCK. Detect Files rules allow you to log the detection of specific file types to the database, while still allowing their transmission. Block Files rules allow you to block specific file types. You can configure options to reset the connection when a file transfer is blocked, and store captured files to the managed device. Malware Cloud Lookup rules allow you to obtain and log the disposition of files traversing your network, while still allowing their transmission. Block Malware rules allow you to calculate the SHA-256 hash value of specific file types, query the AMP cloud to determine if files traversing your network contain malware, then block files that represent threats. File Rule Actions: Evaluation Order: If more than one rule can apply to a particular situation, the evaluation order will be (1) Block Files, (2) Block Malware, (3)Malware Cloud Lookup, (4)Detect Files Field level constraints: cannot be null. (Note: Additional constraints might exist)
reset	False	boolean	A Boolean value, TRUE or FALSE (the default). Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actions to prevent blocked application sessions from remaining open until the TCP connection resets. If you do not reset connections, the client session will remain open until the TCP connection resets itself
isSystemDefined	False	boolean	A Boolean value, TRUE or FALSE (the default). The TRUE value indicates that the system created the object. FALSE indicates that the object is user-defined
type	True	string	A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name.

Path Parameters

Parameter	Required	Type	Description
parentId	True	string

Query Parameters

Parameter	Required	Type	Description
at	False	integer	An integer representing where to add the new object in the ordered list. Use 0 to add it at the beginning of the list. If not specified, it will be added at the end of the list

Example

curl -X POST \
    --header "Accept: application/json" \
    --header "Authorization: Bearer ${ACCESS_TOKEN}" \
    --header "Content-Type: application/json" \
    -d '{
        "applicationProtocols": "ANY",
        "description": "string",
        "directionOfTransfer": "UPLOAD",
        "fileTypeCategories": [],
        "fileTypes": [],
        "id": "string",
        "isSystemDefined": true,
        "malwareAnalysisOptions": [],
        "name": "string",
        "reset": true,
        "ruleAction": "DETECT_FILES",
        "rulePosition": 0,
        "storeFiles": [],
        "type": "filerule",
        "version": "string"
    }' \
    "https://${HOST}:${PORT}/api/fdm/v6/policy/filepolicies/{parentId}/filerules"

from bravado.requests_client import RequestsClient
from bravado.client import SwaggerClient


def get_client(host, token):
    http_client = RequestsClient()
    http_client.ssl_verify = False
    http_client.set_api_key(
        host,
        "Bearer {}".format(token),
        param_name="Authorization",
        param_in="header"
    )
    return SwaggerClient.from_url(
        "https://{}/apispec/ngfw.json".format(host),
        http_client=http_client,
        config={
            "validate_responses": False,
            "validate_swagger_spec": False
        }
    )


def add_file_rule(client, parent_id, body):
    return client.FileAndMalwarePolicy.addFileRule(
        parentId=parent_id,
        body=body
    ).response().result


if __name__ == "__main__":
    host = "ftd.example.com"
    token = "access_token"
    client = get_client(host, token)

    parent_id = "string"
    body = {'applicationProtocols': 'ANY',
 'description': 'string',
 'directionOfTransfer': 'UPLOAD',
 'fileTypeCategories': [],
 'fileTypes': [],
 'isSystemDefined': True,
 'malwareAnalysisOptions': [],
 'name': 'string',
 'reset': True,
 'ruleAction': 'DETECT_FILES',
 'rulePosition': 0,
 'storeFiles': [],
 'type': 'filerule'}

    add_file_rule(client, parent_id, body)