Tag Reference

Note: In order for the file to function as intended, any special characters used in a string must be escaped with a \.

For comprehensive examples, see Sample generic device JSON file.

config_type

One of the following values:

  • POLICY_BASED: One set of rules per device across all of its interfaces. For example, Check Point devices.
  • INTERFACE_BASED: One set of rules per interface. For example, Cisco devices.
  • CLOUD_BASED: Device policy refers to the cloud host itself (source or destination is "Me"). For example, Amazon AWS devices.
  • ZONE_BASED: Each policy rule is defined using a source zone and destination zone. For example, Fortinet devices managed by FortiManager.

device

Parameter

Description
name

Device name.
major_version

Device major version (first number before first dot).
version

Device version.
minor_version

Device minor version (last number of whole version).
policy

Policy name (optional).
is_layer2

1 or 0. Indicates whether the device is a layer 2 device.

hosts

Parameter

Description
name Host name.
comment Host comment, if there is one (optional).
ips List of host IPs.
type

PREDEFINED/ANY/IP_ADDRESS/IP_RANGE/DOMAIN/SUBNET/IPS_LIST
is_negate

true/false (optional)

hosts_groups

Parameter Description
name Host group name.
members List of group members (from hosts hash or from hosts_groups hash).
type GROUP
is_negate

true/false (optional)

interfaces

Parameter Description
name The interface logical name.
enable enabled/disabled. (optional)
ips List of interface's IPs in format of: 'IP address/CIDR'.
vips List of ips that represents virtual IPs of the interface (optional)
Hwdevice The interface physical name.
zone Interface's zone. (optional)
description Description. (optional)
rules_groups List of rules groups that apply to this interface.

Note: The name of the rule group should be the same as the rule group id value in rule_group tag.

Note: This parameter is only relevant for INTERFACE_BASED configuration.

services

Parameter Description
name Sevice name.
service_definitions List of service definitions in the following format:
    protocol: The protocol name: tcp/udp/icmp/any/protocol number.
  • src_port: The source port number/source port range (if there is no source port, or range is any, it will be *)/ICMP type. (optional)
    dst_port: The destination port number/destination port range. If range is any, it will be *.
Type

ANY/TCP/UDP/ICMP/TCP_UDP

services_groups

Parameter

Description
name Service group name.
members List of group members (from services hash or from services_groups hash).
type GROUP

policies

Parameter

Description
rule_name Rule's name as appears in the configuration.
rule_display_name Display name.
rule_id Rule's ID - unique identifier of the rule, can be the rule name if it is unique.
line_number Line number of the rule in configuration file.
rule_num Rules number (to save order of rules).
src_zone List of source zones.(optional)
direction

Inbound/outbound. (optional)
comments Rule's comment. (optional)
rule_grp Group to which the rule belongs. (optional)
log 0/1
enable

Enabled/disabled.
src List of rule's sources.
service List of rule's services.
schedule Schedule name from schedules list. (optional)
action ALLOW/DENY
dst_zone

List of destination zones.(optional)

dst List of rule's destinations.
src_nat List of source NAT hosts/addresses. (optional)
src_nat_type Source NAT type - one of the values: static/dynamic. (optional)
dst_nat List of destination NAT hosts/addresses. (optional)
dst_nat_type Destination NAT type - one of the values: static/dynamic. (optional)
bi-directional 0/1 (optional). Relevant for static NAT for example, MIP in NetScreen.
src_negate 0/1 (optional)
dst_negate 0/1 (optional)
policy Policy name. (optional)

rules_groups

(optional)

Parameter

Description
name Rules group name.
enable Enabled/Disabled.
comments Rules group comment, if there is one (optional).
type Rules group type (optional)

nat_rules

Parameter

Description
rule_name Rule's name as appears in the configuration (without canonization).
rule_id Rule's ID - unique identifier of the rule, can be the rule name if it is unique.
line_number Line number of the rule in the configuration file.
src_zone

List of source zones.(optional)

rule_display_name Display name.
direction

Inbound/outbound.(optional)

comments

Rule's comment.(optional)

rule_num Rules number (to save order of rules).
log 0/1
enable Enabled/disabled.
src List of rule's sources.
dst List of rule's destinations.
src_nat List of source NAT hosts/addresses.
src_nat_type

Source NAT type - one of the values: static/dynamic.
dst_nat List of destination NAT hosts/addresses.
dst_nat_type

Destination NAT type - one of the values: static/dynamic.

bi-directional 0/1. (optional) Relevant for static NAT (e.g. MIP in NetScreen)
src_negate 0/1 (optional)
dst_negate 0/1 (optional)
service List of rule's services.
schedule Schedule name (from schedules list). (optional)
action ALLOW/DENY
dst_zone

List of destination zones.(optional)

zones

(optional)

Parameter

Description
name Zone name.
interfaces List of zone interfaces.
description Zone's description.

routes

Parameter

Description
id Route's ID.
interface_name Logical name. (optional)
route_mask CIDR of the route.
gateway Gateway (IP address).
interface Physical name. (The Hwdevice value specified in the "Interfaces" section.)
route IP address of the route.
origin Source interface (for example, eth_2). (optional)
When there is a route with origin / source interface set, the route will be valid only for traffic coming from the specified source interface.

schedules

(optional)

Parameter

Description
name Schedule name.
start_date Start date in format of: ‘ddMMMyyyy, HHmm’.
end_date End date in format of: ‘ddMMMyyyy, HHmm’.