Managing Rules
The following methods search, retrieve, and edit rules.
Retrieving a List of a Device's Rules
The get_rules_by_device method retrieves a list of rules for a device.
Note: The list of parameters in the rules element depends on the device.
Request Type: GetRulesByDeviceRequest
|
Element |
Type |
Description |
|---|---|---|
|
SessionID Mandatory |
String |
SessionID returned by connect method. |
|
DeviceID Mandatory |
String |
Tree name of the device. |
Response Type: GetRulesByDeviceResponse
|
Element |
Type |
Description |
|---|---|---|
| Rules | Rules |
Returned rules for device. For details, see Rules type . Note: The response includes RuleID, which is a request parameter in get_rule_documentation. For details, see Retrieving a Rule's Documentation. |
Request example 1:
<GetRulesByDeviceRequest>
<SessionID>djiid120v5kge1quf01s6p5r11</SessionID>
<DeviceID>10_132_16_1</DeviceID>
</GetRulesByDeviceRequest>
Response example 1:
<GetRulesByDeviceResponse>
<Rules>
<Rule>
<RuleID>acl(247)</RuleID>
<Name>dmz_access_in(1)</Name>
<Source>10.134.191.1</Source>
<Destination>any</Destination>
<Action>permit</Action>
<Enable>disabled</Enable>
<Service>icmp/echo</Service>
<ACL>dmz_access_in</ACL>
<Interface>dmz</Interface>
<LineNum>247</LineNum>
<Internal_Name>dmz_access_in(2)</Internal_Name>
<UID>oBr68ezuOqr3BLIsq1AwXw</UID>
<Line>access-list dmz_access_in extended permit icmp host 10.134.191.1 any echo inactive</Line>
</Rule>
<Rule>
<RuleID>acl(249)</RuleID>
<Name>dmz_access_in(2)</Name>
<Source>192.168.3.80</Source>
<Destination>any</Destination>
<Action>permit</Action>
<Enable>disabled</Enable>
<Service>tcp/talk</Service>
<ACL>dmz_access_in</ACL>
<Interface>dmz</Interface>
<LineNum>249</LineNum>
<Internal_Name>dmz_access_in(4)</Internal_Name>
<UID>RzHkFIr5kdsZ+gWbfDtc+Q</UID>
<Line>access-list dmz_access_in extended permit tcp host 192.168.3.80 any eq talk inactive</Line>
</Rule>
<Rule>
<RuleID>acl(251)</RuleID>
<Name>dmz_access_in(3)</Name>
<Source>any</Source>
<Destination>192.168.3.184</Destination>
<Action>permit</Action>
<Enable>disabled</Enable>
<Service>tcp/http</Service>
<ACL>dmz_access_in</ACL>
<Interface>dmz</Interface>
<LineNum>251</LineNum>
<Internal_Name>dmz_access_in(6)</Internal_Name>
<UID>0ef41BscLmJC37JSv8EWfQ</UID>
<Line>access-list dmz_access_in extended permit tcp any host 192.168.3.184 eq www inactive</Line>
</Rule>
</Rules>
</GetRulesByDeviceResponse>
Request example 2:
<GetRulesByDeviceRequest>
<SessionID>djiid120v5kge1quf01s6p5r11</SessionID>
<DeviceID>p_10_132_30_1</DeviceID>
</GetRulesByDeviceRequest>
Response example 2:
<ns1:GetRulesByDeviceResponse>
<Rules>
<Rule>
<RuleNum>1</RuleNum>
<RuleID>086D5DE5-D0F0-4EDA-BF1F-B345F7E73725</RuleID>
<Source>afa-amichai</Source>
<Destination>Any</Destination>
<Services>Any</Services>
<Action>accept</Action>
<Enable>disabled</Enable>
<Track>None</Track>
<Time>Any</Time>
<Install>Any</Install>
<Global>before</Global>
<Comments>comment 3</Comments>
</Rule>
<Rule>
<RuleNum>2</RuleNum>
<RuleID>DB9519FB-2FC4-430A-BD9E-0D4D68552641</RuleID>
<Name>allow amichai's ssh</Name>
<Source>amichai-pc</Source>
<Destination>LocalMachine</Destination>
<Services>gssh_version_2</Services>
<Action>accept</Action>
<Enable>disabled</Enable>
<Track>None</Track>
<Time>Any</Time>
<Install>Any</Install>
<Global>before</Global>
<Comments>for log collection</Comments>
</Rule>
<Rule>
<RuleNum>18</RuleNum>
<RuleID>6343F5EE-29B2-42E1-B4B2-F4C3D634A881</RuleID>
<Source>Any</Source>
<Destination>Any</Destination>
<Services>Any</Services>
<Action>drop</Action>
<Enable>enabled</Enable>
<Track>None</Track>
<Time>Any</Time>
<Install>Any</Install>
<Global>after</Global>
</Rule>
</Rules>
</GetRulesByDeviceResponse>
Searching for Rules
The search_rule method searches for rules.
Request Type: SearchRuleRequest
|
Element |
Type |
Description |
|---|---|---|
|
SessionID Mandatory |
String |
Session ID obtained from the connect method. |
|
EntityID Optional |
String |
ID of the entity to search. If not provided, search is for all devices. |
|
EntityType Optional |
String |
Entity type to search for. If not provided, search is for all devices. Possible values include:
|
|
SearchFor Mandatory |
SearchParam |
Criteria to search for. For details, see SearchParam type. |
Response Type: SearchRuleResponse
|
Element |
Type |
Description |
|---|---|---|
|
Rules Mandatory |
List of Rule objects |
Returned rules. For details, see Rules type . Note: The response includes RuleID, which is a request parameter in get_rule_documentation. For details, see Retrieving a Rule's Documentation. |
Request example 1:
<SearchRuleRequest>
<SessionID>366a6ae034ce7a4357f6f66fad629018</SessionID>
<EntityID>10_132_16_1</EntityID>
<!--1 or more repetitions:-->
<SearchFor>
<Search>10.134</Search>
</SearchFor>
</SearchRuleRequest>
Response example 1:
<SearchRuleResponse>
<Rules>
<Rule>
<RuleID>acl(247)</RuleID>
<Name>dmz_access_in(1)</Name>
<Source>10.134.191.1</Source>
<Destination>any</Destination>
<Action>permit</Action>
<Enable>disabled</Enable>
<Service>Array</Service>
<ACL>dmz_access_in</ACL>
<Interface>dmz</Interface>
<LineNum>247</LineNum>
<Internal_Name>dmz_access_in(2)</Internal_Name>
<UID>oBr68ezuOqr3BLIsq1AwXw</UID>
<Line>access-list dmz_access_in extended permit icmp host 10.134.191.1 any echo inactive</Line>
</Rule>
<Rule>
<RuleID>acl(285)</RuleID>
<Name>inside_access_in(8)</Name>
<Source>dmz-network/24</Source>
<Destination>10.134.14.0/24</Destination>
<Action>permit</Action>
<Enable>enabled</Enable>
<Service>Array</Service>
<Comment>amichai's rule</Comment>
<ACL>inside_access_in</ACL>
<Interface>inside</Interface>
<LineNum>285</LineNum>
<Internal_Name>inside_access_in(11)</Internal_Name>
<UID>0xf5cb4128</UID>
<Line>access-list inside_access_in extended permit tcp 10.136.16.0 255.255.255.0 10.134.14.0 255.255.255.0 eq aol log</Line>
</Rule>
</Rules>
</SearchRuleResponse>
Request example 2:
<SearchRuleRequest>
<SessionID>366a6ae034ce7a4357f6f66fad629018</SessionID>
<EntityID>10_132_16_1</EntityID>
<!--1 or more repetitions:-->
<SearchFor>
<Search>10.132</Search>
<Field>Destination</Field>
</SearchFor>
</SearchRuleRequest>
Response example 2:
<SearchRuleResponse>
<Rules>
<Rule>
<RuleID>acl(247)</RuleID>
<Name>dmz_access_in(1)</Name>
<Source>10.134.191.1</Source>
<Destination>any</Destination>
<Action>permit</Action>
<Enable>disabled</Enable>
<Service>Array</Service>
<ACL>dmz_access_in</ACL>
<Interface>dmz</Interface>
<LineNum>247</LineNum>
<Internal_Name>dmz_access_in(2)</Internal_Name>
<UID>oBr68ezuOqr3BLIsq1AwXw</UID>
<Line>access-list dmz_access_in extended permit icmp host 10.134.191.1 any echo inactive</Line>
</Rule>
<Rule>
<RuleID>acl(285)</RuleID>
<Name>inside_access_in(8)</Name>
<Source>dmz-network/24</Source>
<Destination>10.134.14.0/24</Destination>
<Action>permit</Action>
<Enable>enabled</Enable>
<Service>Array</Service>
<Comment>amichai's rule</Comment>
<ACL>inside_access_in</ACL>
<Interface>inside</Interface>
<LineNum>285</LineNum>
<Internal_Name>inside_access_in(11)</Internal_Name>
<UID>0xf5cb4128</UID>
<Line>access-list inside_access_in extended permit tcp 10.136.16.0 255.255.255.0 10.134.14.0 255.255.255.0 eq aol log</Line>
</Rule>
</Rules>
</SearchRuleResponse>
Retrieving a Rule's Documentation
The get_rule_documentation method retrieves data from a specified column.
Request Type: GetRuleDocumentationRequest
|
Element |
Type |
Description |
|---|---|---|
|
SessionID Mandatory |
String |
SessionID obtained from the connect method. |
|
DeviceID Mandatory |
String |
Tree name of the device. |
|
RuleUid Mandatory |
String |
|
|
DocumentationColumn Mandatory |
String |
The name of the column from which you want to retrieve data. Note: By default, AFA adds a field called Documentation to each device policy. For information on adding other columns, see Customizing Device Policy Documentation Fields. |
Response Type: GetRuleDocumentationResponse
|
Element |
Type |
Description |
|---|---|---|
| GetRuleDocumentationResponse |
String |
The content in the specified column. |
Editing a Rule's Documentation
The edit_rule_documentation method edits data in a specified column.
Request Type: EditRuleDocumentationRequest
|
Element |
Type |
Description |
|---|---|---|
|
SessionID Mandatory |
String |
SessionID obtained from the connect method. |
|
DeviceID Mandatory |
String |
Tree name of the device. |
|
RuleUid Mandatory |
String |
Rule ID. To get the rule ID, call one of the rule APIs, such as get_rules_by_device. For details, see Retrieving a List of a Device's Rules. |
|
DocumentationColumn Mandatory |
String |
Name of the column you want to edit. Note: By default, AFA adds a field called Documentation to each device policy. For information on adding other columns, see Customizing Device Policy Documentation Fields. |
|
DocumentationData Mandatory |
String |
Content to put in the specified column. Existing data will be overwritten. |
Response Type: EditRuleDocumentationResponse
|
Element |
Type |
Description |
|---|---|---|
| EditRuleDocumentationResponse |
Integer |
On success, returns 1. On failure, returns 0. |
Retrieving a List of Unused Rules
The get_unused_rules method retrieves the list of unused rules detected in the last successful report of a device or a group of devices.
Request Type: GetRulesByDeviceRequest
|
Element |
Type |
Description |
|---|---|---|
|
SessionID Mandatory |
String |
SessionID returned by connect method. |
|
EntityID Mandatory |
String |
Tree name of the device. |
|
EntityType Mandatory |
String |
Device, group, or matrix. |
Response Type: GetRulesByDeviceResponse
|
Element |
Type |
Description |
|---|---|---|
| Rules | Rules |
Returns unused rules of the given EntityID based on its last report. |
Request example 1:
<GetUnusedRulesRequest>
<SessionID>49a6ce6f7341b340edefae630b8b25a1</SessionID>
<EntityID>Humus</EntityID>
<EntityType>Device</EntityType>
</GetUnusedRulesRequest>
Response example 1:
<GetUnusedRulesResponse>
<Rules>
<Rule>
<DeviceID>Humus</DeviceID>
<Report>afa-754</Report>
<Analyzed_On>2016-05-29 14:29:22</Analyzed_On>
<RuleID>2FBCB893-1F26-2343-BOAE-BD1371D27C2A</RuleID>
<RuleNum>33</RuleNum>
<Source>a_10.10.18.95</Source>
<Destination>ip=10.30.18.95</Destination>
<Service>udp-16994</Service>
<Action>accept</Action>
<Enable>enabled</Enable>
<Time>Any</Time>
<Section_Header>Default rule</Section_Header>
<Global>middle</Global>
<Log>Log</Log>
<Comment>4180</Comment>
<Install>Humus</Install>
<LastUse>N/A<LastUse>
<Rule>
<Rules>
</GetUnusedRulesResponse>
Request example 2:
<GetUnusedRulesRequest>
<SessionID>e4a1edb6f40ff69cbe021123077b</SessionID>
<EntityID>Humus</EntityID>
<EntityType>Device</EntityType>
</GetUnusedRulesRequest>
Response example 2:
<Fault>
<faultcode>ns1:AFA-WS</faultcode>
<faultstring>[505] [You are not permitted to perform this operation.]
<faultactor>AFA Web Service</faultactor>
<detail>
<ns1:ErrorDetails>
<code>505</code>
<description>[505] [You are not permitted to perform this operation.]
</ns1:ErrorDetails>
</detail>
<Fault>
Request example 3:
<GetUnusedRulesRequest>
<SessionID>1a3cfbf7e4f82f309d9893dc2b6fb932</SessionID>
<EntityID>Humus</EntityID>
<EntityType>Device</EntityType>
</GetUnusedRulesRequest>
Response example 3:
<GetUnusedRulesResponse>
<Rules/>
</GetUnusedRulesResponse>
