Traffic Simulation Query

Performs a batch Traffic Simulation Query on a single device or group of devices.

Required permissions

To perform this request, you must have access to all the firewalls that are relevant for your query results path. Queries will fail if the query goes through a non-permitted device.

Users with permissions to view an entire group can run queries on the group. If you do not have permission to view a group of devices, or the ALL_FIREWALLS group, we recommend that you perform single-device queries on the devices you have permissions to view.

Resource Name: /api/v1/query/

Request Method: POST

Request URL Parameters:

Element

Type

Description

includeRulesZones
Optional
Boolean
  • true: Includes source/destination zones of rule of zone-based devices in response (sourceZone, destinationZone) .

  • false: (default) Does not include source/destination zones of rule of zone-based devices in response

includeDevicesPaths
Optional
Boolean
  • true: Includes devices paths section in response (devicesInPath).

  • false: (default) Excludes devices paths section in response.

QueryInput
Mandatory

List of QueryRequestData objects

Lists one or more queries to perform.

See QueryRequestData Type table below.

QueryTarget
Mandatory

String

Name of a device or group the query will run on. If empty, the query runs on the entire network and all permitted devices for the user.

QueryRequestData Type:

Element Type Description
Source
Mandatory
List of strings Source(s) for the query. Multiple values are separated by commas (,).
Destination
Mandatory
List of strings Destination(s) for the query. Multiple values are separated by commas (,).
Service
Mandatory
List of strings Service(s) for the query. Multiple values are separated by commas (,).

businessApplicationsData

Optional

List of BusinessApplicationData objects

See BusinessApplicationData Type table below.

User
Optional
List of strings User(s) who created the rule. Multiple values are separated by commas (,). If empty, the query runs on user: 'any'
Application
Optional
List of strings Application(s) for the rule. Multiple values are separated by commas (,). If empty, the query runs on application: 'any'

BusinessApplicationData Type:

Element

Type

Description

businessApplicationFlowId

Mandatory

Integer AppViz application flow ID. If used, value of NULL or 0 not allowed.

businessApplicationId

Mandatory

Integer AppVizapplication ID. If used, value of NULL or 0 not allowed.

businessApplicationName

Mandatory

string AppViz application name. If used, value of NULL or 0 not allowed.

Response parameters:

A queryResponse JSON that includes a list of QueryData objects:

Element Type Description

QueryDescription

String Description of query.
QueryHTMLPath String URL to the results in the UI.

FIPResult

String

One of the following:

  • Unreachable
  • SameZone
  • Routed
  • PartiallyRouted
  • NotExecuted
  • Unknown

QueryResult

String

One of the following:

  • allowed
  • blocked
  • partially allowed
  • not routed

QueryItem

QueryValueResults

List of query value results.

See QueryValueResults type below.

devicesInPath array of found paths

Each path in array of devices. For each device, shows tree and display names:

[ { "name" : "<tree name>", "*displayName*" : "<display name>" }

QueryValueResults:

Element Type Description

Device

List of DeviceResult objects List of device results. See DeviceResult type below.

DeviceResult:

Element Type Description

IsAllowed

String

Status information and the number of rules that support it.

For example: Allowed (x1), Blocked (x4), Partially allowed (x4).

DeviceName

String Display name of the device.

Rules

List of QueryRules objects

List of rules.

See QueryRules type below.

QueryRules:

Element Type Description

Rule

String

Internal AlgoSec Rule ID.

To retrieve the rule ID, call one of the rule APIs, such as get_rules_by_device or search_rules.

Service

String List of services.

Source

String List of sources.

Source_Nat

String List of NAT sources.

Destination

String List of destinations.

Destination_Nat

String List of NAT destinations.

Install

String List of installs.

Action

String Action.

ACL

String ACL

Request example

curl -H "Content-Type: application/json" -X POST -d '{"queryInput": [{"application": ["any"],"destination": ["192.168.0.0-192.168.255.255"],"service": ["any"],"source": ["10.20.0.0-10.20.255.255"],"user": ["any"]}],"queryTarget": "ALL_FIREWALLS","includeDevicesPaths" : "true", "includeRulesZones" : "true"}'  -k --cookie "PHPSESSID=srsqrikqeqju3vuv1d7dm819e0" 'https://localhost/afa/api/v1/query'

Response example

Copy
 {
                    "queryUIResult" : "https://172.17.0.2/algosec-ui/query-result?queryPath=/work/ALL_FIREWALLS_query-1625403197159/",
                    "queryResult" : [ {
                    "queryDescription" : "10.20.0.0-10.20.255.255=>192.168.0.0-192.168.255.255:any:any:any",
                    "fipResult" : "PartiallyRouted",
                    "finalResult" : "Partially allowed",
                    "queryHTMLPath" : "https://localhost/algosec-ui/query-result?queryPath=/work/ALL_FIREWALLS_query-1625403197159/",
                    "devicesInPath" : [ [ {
                    "name" : "10_20_138_1_Ott_Dam_HA_vDOM1_HA",
                    "displayName" : "vDOM1_HA"
                    }, {
                    "name" : "10_20_242_12",
                    "displayName" : "10.20.242.12"
                    } ], [ {
                    "name" : "10_20_26_1_David_Bowie_Starman_all_routes",
                    "displayName" : "VR-David_Bowie_Starman_all-routes"
                    }, {
                    "name" : "10_20_242_12",
                    "displayName" : "10.20.242.12"
                    } ], [ {
                    "name" : "10_20_85_1",
                    "displayName" : "10.20.85.1"
                    }, {
                    "name" : "10_20_242_12",
                    "displayName" : "10.20.242.12"
                    } ], [ {
                    "name" : "10_20_124_1_Jackson_vsys1_default_v",
                    "displayName" : "VR-Jackson_vsys1_default-v"
                    }, {
                    "name" : "10_20_242_12",
                    "displayName" : "10.20.242.12"
                    } ] ],
                    "queryItem" : [ {
                    "isAllowed" : "Partially allowed (x1)",
                    "deviceName" : "10_20_26_1_David_Bowie_Space_Oddity_Ashes_To_Ashes_VR",
                    "displayName" : "VR-David_Bowie_Space_Oddity_Ashes_To-Ashes_VR",
                    "rules" : [ {
                    "ruleName" : "TestCovered1",
                    "sourceZone" : [ "any" ],
                    "destinationZone" : [ "any" ],
                    "service" : [ "application-default" ],
                    "source" : [ "net-10.0.0.0-8" ],
                    "destination" : [ "any" ],
                    "install" : [ "any" ],
                    "action" : "allow",
                    "rule_id" : "TestCovered1"
                    } ]
                    }, {
                    "isAllowed" : "Partially allowed (x1)",
                    "deviceName" : "10_20_26_1_David_Bowie_Ashes_To_Ashes_Ashes_To_Ashes_VR",
                    "displayName" : "VR-David_Bowie_Ashes_To-Ashes_Ashes_To-Ashes_VR",
                    "rules" : [ {
                    "ruleName" : "TestCovered1",
                    "sourceZone" : [ "any" ],
                    "destinationZone" : [ "any" ],
                    "service" : [ "application-default" ],
                    "source" : [ "net-10.0.0.0-8" ],
                    "destination" : [ "any" ],
                    "install" : [ "any" ],
                    "action" : "allow",
                    "rule_id" : "TestCovered1"
                    } ]
                    }, {
                    "isAllowed" : "Partially allowed (x5)",
                    "deviceName" : "10_20_242_12",
                    "displayName" : "10.20.242.12",
                    "rules" : [ {
                    "ruleName" : "permit tcp dst eq 80 src eq 20",
                    "service" : [ "tcp src tcp eq 20 dst tcp eq 80" ],
                    "source" : [ "Developers" ],
                    "destination" : [ "Developers" ],
                    "action" : "permit",
                    "rule_id" : "f44bb960_485a_11e8_91a7_0050569b0b85__10__fd3a40f0_485a_11e8_91a7_0050569b0b85"
                    }, {
                    "ruleName" : "permit ip",
                    "service" : [ "ip" ],
                    "source" : [ "any" ],
                    "destination" : [ "any" ],
                    "action" : "permit",
                    "rule_id" : "92951ac0_8c01_11e6_996c_525400b48521__10__92c1a900_8c01_11e6_996c_525400b48521"
                    } ]
                    }, {
                    "isAllowed" : "Blocked by default device behavior",
                    "deviceName" : "10_20_26_1_David_Bowie_Starman_all_routes",
                    "displayName" : "VR-David_Bowie_Starman_all-routes"
                    }, {
                    "isAllowed" : "Partially allowed (x5)",
                    "deviceName" : "10_20_124_1_Britney_vsys1_default",
                    "displayName" : "VR-Britney_Spears_vsys1_default",
                    "rules" : [ {
                    "ruleName" : "guri KFH",
                    "sourceZone" : [ "any" ],
                    "destinationZone" : [ "any" ],
                    "service" : [ "any" ],
                    "source" : [ "any" ],
                    "destination" : [ "any" ],
                    "install" : [ "Britney" ],
                    "action" : "allow",
                    "rule_id" : "guri_KFH"
                    }, {
                    "ruleName" : "68-1",
                    "sourceZone" : [ "external1" ],
                    "destinationZone" : [ "internal" ],
                    "service" : [ "application-default" ],
                    "source" : [ "Eyal_address-10.20.5.7-9.5.17" ],
                    "destination" : [ "ip-192.168.99.252" ],
                    "install" : [ "any" ],
                    "action" : "allow",
                    "rule_id" : "68-1"
                    } ]
                    } ]
                    } ]
                    }