Tag Reference
Note: In order for the file to function as intended, any special characters used in a string must be escaped with a \.
For comprehensive examples, see Sample generic device JSON file.
config_type
One of the following values:
- POLICY_BASED: One set of rules per device across all of its interfaces. For example, Check Point devices.
- INTERFACE_BASED: One set of rules per interface. For example, Cisco devices.
- CLOUD_BASED: Device policy refers to the cloud host itself (source or destination is "Me"). For example, Amazon AWS devices.
- ZONE_BASED: Each policy rule is defined using a source zone and destination zone. For example, Fortinet devices managed by FortiManager.
device
Parameter |
Description |
---|---|
name |
Device name. |
major_version |
Device major version (first number before first dot). |
version |
Device version. |
minor_version |
Device minor version (last number of whole version). |
policy |
Policy name (optional). |
is_layer2 |
1 or 0. Indicates whether the device is a layer 2 device. |
hosts
Parameter |
Description |
---|---|
name | Host name. |
comment | Host comment, if there is one (optional). |
ips | List of host IPs. |
type |
PREDEFINED/ANY/IP_ADDRESS/IP_RANGE/DOMAIN/SUBNET/IPS_LIST |
is_negate |
true/false (optional) |
hosts_groups
Parameter | Description |
---|---|
name | Host group name. |
members | List of group members (from hosts hash or from hosts_groups hash). |
type | GROUP |
is_negate |
true/false (optional) |
interfaces
Parameter | Description |
---|---|
name | The interface logical name. |
enable | enabled/disabled. (optional) |
ips | List of interface's IPs in format of: 'IP address/CIDR'. |
vips | List of ips that represents virtual IPs of the interface (optional) |
Hwdevice | The interface physical name. |
zone | Interface's zone. (optional) |
description | Description. (optional) |
rules_groups | List of rules groups that apply to this interface.
Note: The name of the rule group should be the same as the rule group id value in rule_group tag. Note: This parameter is only relevant for INTERFACE_BASED configuration. |
services
Parameter | Description |
---|---|
name | Sevice name. |
service_definitions | List of service definitions in the following format:
|
Type |
ANY/TCP/UDP/ICMP/TCP_UDP |
services_groups
Parameter |
Description |
---|---|
name | Service group name. |
members | List of group members (from services hash or from services_groups hash). |
type | GROUP |
policies
Parameter |
Description |
---|---|
rule_name | Rule's name as appears in the configuration. |
rule_display_name | Display name. |
rule_id | Rule's ID - unique identifier of the rule, can be the rule name if it is unique. |
line_number | Line number of the rule in configuration file. |
rule_num | Rules number (to save order of rules). |
src_zone | List of source zones.(optional) |
direction |
Inbound/outbound. (optional) |
comments | Rule's comment. (optional) |
rule_grp | Group to which the rule belongs. (optional) |
log | 0/1 |
enable |
Enabled/disabled. |
src | List of rule's sources. |
service | List of rule's services. |
schedule | Schedule name from schedules list. (optional) |
action | ALLOW/DENY |
dst_zone |
List of destination zones.(optional) |
dst | List of rule's destinations. |
src_nat | List of source NAT hosts/addresses. (optional) |
src_nat_type | Source NAT type - one of the values: static/dynamic. (optional) |
dst_nat | List of destination NAT hosts/addresses. (optional) |
dst_nat_type | Destination NAT type - one of the values: static/dynamic. (optional) |
bi-directional | 0/1 (optional). Relevant for static NAT for example, MIP in NetScreen. |
src_negate | 0/1 (optional) |
dst_negate | 0/1 (optional) |
policy | Policy name. (optional) |
rules_groups
(optional)
Parameter |
Description |
---|---|
name | Rules group name. |
enable | Enabled/Disabled. |
comments | Rules group comment, if there is one (optional). |
type | Rules group type (optional) |
nat_rules
Parameter |
Description |
---|---|
rule_name | Rule's name as appears in the configuration (without canonization). |
rule_id | Rule's ID - unique identifier of the rule, can be the rule name if it is unique. |
line_number | Line number of the rule in the configuration file. |
src_zone |
List of source zones.(optional) |
rule_display_name | Display name. |
direction |
Inbound/outbound.(optional) |
comments |
Rule's comment.(optional) |
rule_num | Rules number (to save order of rules). |
log | 0/1 |
enable | Enabled/disabled. |
src | List of rule's sources. |
dst | List of rule's destinations. |
src_nat | List of source NAT hosts/addresses. |
src_nat_type |
Source NAT type - one of the values: static/dynamic. |
dst_nat | List of destination NAT hosts/addresses. |
dst_nat_type |
Destination NAT type - one of the values: static/dynamic. |
bi-directional | 0/1. (optional) Relevant for static NAT (e.g. MIP in NetScreen) |
src_negate | 0/1 (optional) |
dst_negate | 0/1 (optional) |
service | List of rule's services. |
schedule | Schedule name (from schedules list). (optional) |
action | ALLOW/DENY |
dst_zone |
List of destination zones.(optional) |
zones
(optional)
Parameter |
Description |
---|---|
name | Zone name. |
interfaces | List of zone interfaces. |
description | Zone's description. |
routes
Parameter |
Description |
---|---|
id | Route's ID. |
interface_name | Logical name. (optional) |
route_mask | CIDR of the route. |
gateway | Gateway (IP address). |
interface | Physical name. (The Hwdevice value specified in the "Interfaces" section.) |
route | IP address of the route. |
origin | Source interface (for example, eth_2). (optional) When there is a route with origin / source interface set, the route will be valid only for traffic coming from the specified source interface. |
schedules
(optional)
Parameter |
Description |
---|---|
name | Schedule name. |
start_date | Start date in format of: ‘ddMMMyyyy, HHmm’. |
end_date | End date in format of: ‘ddMMMyyyy, HHmm’. |