rule-set rule

Security policy rule.

rule Specification

Type Collection
Object Key(s) name
Collection Name rule-list
Collection URI /axapi/v3/rule-set/{name}/rule/
Element Name rule
Element URI /axapi/v3/rule-set/{name}/rule/{name}
Element Attributes rule_attributes
Statistics Data URI /axapi/v3/rule-set/{name}/rule/{name}/stats
Operational Data URI /axapi/v3/rule-set/{name}/rule/{name}/oper
Schema rule schema

Operations Allowed:

Operation Method URI Payload

Create Object

POST

/axapi/v3/rule-set/{name}/rule/

rule Attributes

Create List

POST

/axapi/v3/rule-set/{name}/rule/

rule Attributes

Get Object

GET

/axapi/v3/rule-set/{name}/rule/{name}

rule Attributes

Get List

GET

/axapi/v3/rule-set/{name}/rule/

rule-list

Modify Object

POST

/axapi/v3/rule-set/{name}/rule/{name}

rule Attributes

Replace Object

PUT

/axapi/v3/rule-set/{name}/rule/{name}

rule Attributes

Replace List

PUT

/axapi/v3/rule-set/{name}/rule/

rule-list

Delete Object

DELETE

/axapi/v3/rule-set/{name}/rule/{name}

rule Attributes

Get Stats

GET

/axapi/v3/rule-set/{name}/rule/{name}/stats

stats data

Get Oper

GET

/axapi/v3/rule-set/{name}/rule/{name}/oper

operational data

rule-list

rule-list is JSON List of rule Attributes

rule-list : [

rule Attributes

action

Description: ‘permit’: permit; ‘deny’: deny; ‘reset’: reset;

Type: string

Supported Values: permit, deny, reset

alg

Description: ‘FTP’: Specify FTP ALG port range; ‘TFTP’: Specify TFTP ALG port range; ‘SIP’: Specify SIP ALG port range; ‘DNS’: Specify DNS ALG port range;

Type: string

Supported Values: FTP, TFTP, SIP, DNS

dst-addr-any

Description: ‘any’: Set ‘any’ to destination IP address;

Type: string

Supported Values: any

Default: any

Mutual Exclusion: dst-addr-any dst-ip-subnet and dst-ipv6-subnet are mutually exclusive

dst-ip-subnet

Description: IPv4 Network Address

Type: string

Format: ipv4-cidr

Mutual Exclusion: dst-ip-subnet dst-ipv6-keyword, dst-addr-any and dst-ipv6-subnet are mutually exclusive

dst-ipv4-keyword

Description: ‘ipv4-address’: ipv4-address;

Type: string

Supported Values: ipv4-address

Default: ipv4-address

Mutual Exclusion: dst-ipv4-keyword dst-ipv6-keyword, dst-ipv6-subnet, dst-obj-network, dst-obj-grp-network, dst-slb-server and dst-slb-vserver are mutually exclusive

dst-ipv6-keyword

Description: ‘ipv6-address’: ipv6-address;

Type: string

Supported Values: ipv6-address

Default: ipv6-address

Mutual Exclusion: dst-ipv6-keyword dst-ipv4-keyword, dst-ip-subnet, dst-obj-network, dst-obj-grp-network, dst-slb-server and dst-slb-vserver are mutually exclusive

dst-ipv6-subnet

Description: IPv6 Network Address

Type: string

Format: ipv6-address-plen

Mutual Exclusion: dst-ipv6-subnet dst-ipv4-keyword, dst-addr-any and dst-ip-subnet are mutually exclusive

dst-obj-grp-network

Description: network object group

Type: string

Mutual Exclusion: dst-obj-grp-network dst-ipv4-keyword, dst-ipv6-keyword, dst-obj-network, dst-slb-server and dst-slb-vserver are mutually exclusive

Reference Object: /axapi/v3/object-group/network

dst-obj-network

Description: network object

Type: string

Mutual Exclusion: dst-obj-network dst-ipv4-keyword, dst-ipv6-keyword, dst-obj-grp-network, dst-slb-server and dst-slb-vserver are mutually exclusive

Reference Object: /axapi/v3/object/network

dst-slb-server

Description: real server name

Type: string

Mutual Exclusion: dst-slb-server dst-ipv4-keyword, dst-ipv6-keyword, dst-obj-network, dst-obj-grp-network and dst-slb-vserver are mutually exclusive

Reference Object: /axapi/v3/slb/server

dst-slb-vserver

Description: virtual server name

Type: string

Mutual Exclusion: dst-slb-vserver dst-ipv4-keyword, dst-ipv6-keyword, dst-obj-network, dst-obj-grp-network and dst-slb-server are mutually exclusive

Reference Object: /axapi/v3/slb/virtual-server

dst-zone

Description: Bind zone for destination matching

Type: string

Mutual Exclusion: dst-zone and dst-zone-any are mutually exclusive

Reference Object: /axapi/v3/zone

dst-zone-any

Description: ‘any’: any;

Type: string

Supported Values: any

Default: any

Mutual Exclusion: dst-zone-any and dst-zone are mutually exclusive

eq-dst-port

Description: Match only packets on a given destination port (port number)

Type: number

Range: 1-65535

Mutual Exclusion: eq-dst-port gt-dst-port, lt-dst-port and range-dst-port are mutually exclusive

eq-src-port

Description: Match only packets on a given source port (port number)

Type: number

Range: 1-65535

Mutual Exclusion: eq-src-port gt-src-port, lt-src-port and range-src-port are mutually exclusive

gt-dst-port

Description: Match only packets with a greater port number

Type: number

Range: 1-65534

Mutual Exclusion: gt-dst-port eq-dst-port, lt-dst-port and range-dst-port are mutually exclusive

gt-src-port

Description: Match only packets with a greater port number

Type: number

Range: 1-65534

Mutual Exclusion: gt-src-port eq-src-port, lt-src-port and range-src-port are mutually exclusive

icmp

Description: Internet Control Message Protocol

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: icmp service-any, protocols, proto-id, obj-grp-service and icmpv6 are mutually exclusive

icmp-code

Description: ICMP code number

Type: number

Range: 0-254

Mutual Exclusion: icmp-code and special-code are mutually exclusive

icmp-type

Description: ICMP type number

Type: number

Range: 0-254

Mutual Exclusion: icmp-type and special-type are mutually exclusive

icmpv6

Description: Internet Control Message Protocol version 6

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: icmpv6 service-any, protocols, proto-id, obj-grp-service and icmp are mutually exclusive

icmpv6-code

Description: ICMPv6 code number

Type: number

Range: 0-254

Mutual Exclusion: icmpv6-code and special-v6-code are mutually exclusive

icmpv6-type

Description: ICMPv6 type number

Type: number

Range: 0-254

Mutual Exclusion: icmpv6-type and special-v6-type are mutually exclusive

ip-version

Description: ‘v4’: IPv4 rule; ‘v6’: IPv6 rule;

Type: string

Supported Values: v4, v6

Default: v4

log

Description: Enable logging

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

lt-dst-port

Description: Match only packets with a lesser port number

Type: number

Range: 2-65535

Mutual Exclusion: lt-dst-port eq-dst-port, gt-dst-port and range-dst-port are mutually exclusive

lt-src-port

Description: Match only packets with a lower port number

Type: number

Range: 2-65535

Mutual Exclusion: lt-src-port eq-src-port, gt-src-port and range-src-port are mutually exclusive

move-rule

Description: move-rule is a JSON Block . Please see below for move-rule

Type: Object

Reference Object: /axapi/v3/rule-set/{name}/rule/{name}/move-rule

name

Description: name of the policy rule

Type: string

Required: Yes

obj-grp-service

Description: service object group

Type: string

Mutual Exclusion: obj-grp-service service-any, protocols, proto-id, icmp and icmpv6 are mutually exclusive

Reference Object: /axapi/v3/object-group/service

port-num-end-dst

Description: Ending Destination Port Number

Type: number

Range: 1-65535

port-num-end-src

Description: Ending Port Number

Type: number

Range: 1-65535

proto-id

Description: Protocol ID

Type: number

Range: 0-255

Mutual Exclusion: proto-id service-any, protocols, obj-grp-service, icmp and icmpv6 are mutually exclusive

protocols

Description: ‘tcp’: tcp; ‘udp’: udp;

Type: string

Supported Values: tcp, udp

Mutual Exclusion: protocols service-any, proto-id, obj-grp-service, icmp and icmpv6 are mutually exclusive

range-dst-port

Description: Match only packets in the range of port numbers (Starting Destination Port Number)

Type: number

Range: 1-65535

Mutual Exclusion: range-dst-port eq-dst-port, gt-dst-port and lt-dst-port are mutually exclusive

range-src-port

Description: match only packets in the range of port numbers (Starting Port Number)

Type: number

Range: 1-65535

Mutual Exclusion: range-src-port eq-src-port, gt-src-port and lt-src-port are mutually exclusive

sampling-enable

Description: sampling-enable is a JSON List . Please see below for sampling-enable

Type: List

service-any

Description: ‘any’: any;

Type: string

Supported Values: any

Default: any

Mutual Exclusion: service-any protocols, proto-id, obj-grp-service, icmp and icmpv6 are mutually exclusive

special-code

Description: ‘any-code’: Any ICMP code; ‘frag-required’: Code 4, fragmentation required; ‘host-unreachable’: Code 1, destination host unreachable; ‘network-unreachable’: Code 0, destination network unreachable; ‘port-unreachable’: Code 3, destination port unreachable; ‘proto-unreachable’: Code 2, destination protocol unreachable; ‘route-failed’: Code 5, source route failed;

Type: string

Supported Values: any-code, frag-required, host-unreachable, network-unreachable, port-unreachable, proto-unreachable, route-failed

Mutual Exclusion: special-code and icmp-code are mutually exclusive

special-type

Description: ‘any-type’: Any ICMP type; ‘echo-reply’: Type 0, echo reply; ‘echo-request’: Type 8, echo request; ‘info-reply’: Type 16, information reply; ‘info-request’: Type 15, information request; ‘mask-reply’: Type 18, address mask reply; ‘mask-request’: Type 17, address mask request; ‘parameter-problem’: Type 12, parameter problem; ‘redirect’: Type 5, redirect message; ‘source-quench’: Type 4, source quench; ‘time-exceeded’: Type 11, time exceeded; ‘timestamp’: Type 13, timestamp; ‘timestamp-reply’: Type 14, timestamp reply; ‘dest-unreachable’: Type 3, destination unreachable;

Type: string

Supported Values: any-type, echo-reply, echo-request, info-reply, info-request, mask-reply, mask-request, parameter-problem, redirect, source-quench, time-exceeded, timestamp, timestamp-reply, dest-unreachable

Mutual Exclusion: special-type and icmp-type are mutually exclusive

special-v6-code

Description: ‘any-code’: Any ICMPv6 code; ‘addr-unreachable’: Code 3, address unreachable; ‘admin-prohibited’: Code 1, admin prohibited; ‘no-route’: Code 0, no route to destination; ‘not-neighbour’: Code 2, not neighbor; ‘port-unreachable’: Code 4, destination port unreachable;

Type: string

Supported Values: any-code, addr-unreachable, admin-prohibited, no-route, not-neighbour, port-unreachable

Mutual Exclusion: special-v6-code and icmpv6-code are mutually exclusive

special-v6-type

Description: ‘any-type’: ICMPv6 type number; ‘dest-unreachable’: Type 1, destination unreachable; ‘echo-reply’: Type 129, echo reply; ‘echo-request’: Type 128, echo request; ‘packet-too-big’: Type 2, packet too big; ‘param-prob’: Type 4, parameter problem; ‘time-exceeded’: Type 3, time exceeded;

Type: string

Supported Values: any-type, dest-unreachable, echo-reply, echo-request, packet-too-big, param-prob, time-exceeded

Mutual Exclusion: special-v6-type and icmpv6-type are mutually exclusive

src-addr-any

Description: ‘any’: Set ‘any’ to source IP address;

Type: string

Supported Values: any

Default: any

Mutual Exclusion: src-addr-any src-ip-subnet and src-ipv6-subnet are mutually exclusive

src-ip-subnet

Description: IPv4 Network Address

Type: string

Format: ipv4-cidr

Mutual Exclusion: src-ip-subnet src-ipv6-keyword, src-addr-any and src-ipv6-subnet are mutually exclusive

src-ipv4-keyword

Description: ‘ipv4-address’: ipv4-address;

Type: string

Supported Values: ipv4-address

Default: ipv4-address

Mutual Exclusion: src-ipv4-keyword src-ipv6-keyword, src-ipv6-subnet, src-obj-network, src-obj-grp-network and src-slb-server are mutually exclusive

src-ipv6-keyword

Description: ‘ipv6-address’: ipv6-address;

Type: string

Supported Values: ipv6-address

Default: ipv6-address

Mutual Exclusion: src-ipv6-keyword src-ipv4-keyword, src-ip-subnet, src-obj-network, src-obj-grp-network and src-slb-server are mutually exclusive

src-ipv6-subnet

Description: IPv6 Network Address

Type: string

Format: ipv6-address-plen

Mutual Exclusion: src-ipv6-subnet src-ipv4-keyword, src-addr-any and src-ip-subnet are mutually exclusive

src-obj-grp-network

Description: network object group

Type: string

Mutual Exclusion: src-obj-grp-network src-ipv4-keyword, src-ipv6-keyword, src-obj-network and src-slb-server are mutually exclusive

Reference Object: /axapi/v3/object-group/network

src-obj-network

Description: network object

Type: string

Mutual Exclusion: src-obj-network src-ipv4-keyword, src-ipv6-keyword, src-obj-grp-network and src-slb-server are mutually exclusive

Reference Object: /axapi/v3/object/network

src-slb-server

Description: real server name

Type: string

Mutual Exclusion: src-slb-server src-ipv4-keyword, src-ipv6-keyword, src-obj-network and src-obj-grp-network are mutually exclusive

Reference Object: /axapi/v3/slb/server

src-zone

Description: Bind zone for source matching

Type: string

Mutual Exclusion: src-zone and src-zone-any are mutually exclusive

Reference Object: /axapi/v3/zone

src-zone-any

Description: ‘any’: any;

Type: string

Supported Values: any

Default: any

Mutual Exclusion: src-zone-any and src-zone are mutually exclusive

status

Description: ‘enable’: Enable this rule; ‘disable’: Disable this rule;

Type: string

Supported Values: enable, disable

Default: enable

user-tag

Description: Customized tag

Type: string

Format: string-rlx

uuid

Description: uuid of the object

Type: string

move-rule

Specification
Type object

location

Description: ‘top’: top; ‘before’: before; ‘after’: after; ‘bottom’: bottom;

Type: string

Supported Values: top, before, after, bottom

Default: bottom

target-rule

Description:

Type: string

sampling-enable

Specification
Type list
Block object keys

counters1

Description: ‘all’: all; ‘hit-count’: Hit counts;

Type: string

Supported Values: all, hit-count

stats data

Counter Size Description
hit-count 8 Hit counts

operational data

Name Type Description
action string action
status string status
hitcount number hitcount