firewall¶
Overview¶
API to add, modify, delete, and get configuration for Firewall settings
Version information¶
Version : v2
URI scheme¶
Host :
BasePath : /sdwan/nitro/v2/config_editor/
Schemes : HTTP
Tags¶
- firewall : Operations related to firewall
Paths¶
POST operation for firewall¶
POST /firewall
Description¶
Use this operation to add the firewall settings
Parameters¶
| Type | Name | Schema |
|---|---|---|
| Body | body optional |
firewall_request_schema |
Responses¶
| HTTP Code | Description | Schema |
|---|---|---|
| 200 | Resource successfully added | firewall_post_success_schema |
| 400 | Failed: bad input parameter | ErrorSchema |
| 401 | Unauthorized: Failed Authentication | ErrorSchema |
| 403 | Unauthorized: Forbidden | ErrorSchema |
| 405 | Failed: Data format unacceptable | ErrorSchema |
| 415 | Failed: Data format unacceptable | ErrorSchema |
| 500 | Failed: Internal Server Error | ErrorSchema |
Consumes¶
application/json
Produces¶
application/json
Tags¶
- firewall
Get operation for firewall¶
GET /firewall
Description¶
Use this operation to get the firewall settings
Responses¶
| HTTP Code | Description | Schema |
|---|---|---|
| 200 | API Successfully executed | firewall_response_schema |
| 400 | Failed: bad input parameter | ErrorSchema |
| 401 | Unauthorized: Failed Authentication | ErrorSchema |
| 403 | Unauthorized: Forbidden | ErrorSchema |
| 405 | Failed: Data format unacceptable | ErrorSchema |
| 415 | Failed: Data format unacceptable | ErrorSchema |
| 500 | Failed: Internal Server Error | ErrorSchema |
Produces¶
application/json
Tags¶
- firewall
PUT operation for firewall¶
PUT /firewall
Description¶
Use this operation to modify the firewall settings
Responses¶
| HTTP Code | Description | Schema |
|---|---|---|
| 200 | Resource modified added | firewall_put_success_schema |
| 400 | Failed: bad input parameter | ErrorSchema |
| 401 | Unauthorized: Failed Authentication | ErrorSchema |
| 403 | Unauthorized: Forbidden | ErrorSchema |
| 405 | Failed: Data format unacceptable | ErrorSchema |
| 415 | Failed: Data format unacceptable | ErrorSchema |
| 500 | Failed: Internal Server Error | ErrorSchema |
Produces¶
application/json
Tags¶
- firewall
DELETE operation for firewall¶
DELETE /firewall/{deletePathParam}
Description¶
Use this operation to delete the firewall settings
Parameters¶
| Type | Name | Description | Schema |
|---|---|---|---|
| Path | deletePathParam required |
Object Primary Key for DELETE operation | object |
Responses¶
| HTTP Code | Description | Schema |
|---|---|---|
| 200 | Resource delete added | firewall_delete_success_schema |
| 400 | Failed: bad input parameter | ErrorSchema |
| 401 | Unauthorized: Failed Authentication | ErrorSchema |
| 403 | Unauthorized: Forbidden | ErrorSchema |
| 405 | Failed: Data format unacceptable | ErrorSchema |
| 415 | Failed: Data format unacceptable | ErrorSchema |
| 500 | Failed: Internal Server Error | ErrorSchema |
Produces¶
application/json
Tags¶
- firewall
Definitions¶
ErrorSchema¶
| Name | Schema |
|---|---|
| errorcode optional |
integer |
| errormessage optional |
string |
firewall¶
| Name | Schema |
|---|---|
| firewall_destination_nat_policy optional |
firewall_destination_nat_policy |
| firewall_dynamic_nat_policy optional |
firewall_dynamic_nat_policy |
| firewall_local_policy optional |
firewall_local_policy |
| firewall_settings optional |
firewall_settings |
| firewall_static_nat_policy optional |
firewall_static_nat_policy |
| package_name optional |
package_name |
| site_name optional |
site_name |
firewall_delete_success_schema¶
| Name | Schema |
|---|---|
| firewall optional |
firewall |
| Name | Description | Schema |
|---|---|---|
| message optional |
Example : "resource deleted succesfully" |
string |
firewall_destination_nat_policy¶
Destination NAT Policy for firewall
Type : < firewall_destination_nat_policy > array
firewall_destination_nat_policy
| Name | Description | Schema |
|---|---|---|
| direction optional |
The direction, from the Service or Virtual Interface perspective, the translation will operate. Default : "outbound" |
enum (inbound, outbound) |
| id optional |
Firewall destination NATs policy id | integer |
| inside_network_ip_address optional |
The Inside IP Address and Prefix to translate (Destination IP Address in the direction selected). | string |
| inside_port optional |
The Inside Port or port range to translate (Destination port/port range in the direction selected). Default : "1-65535" |
string |
| outside_network_ip_address optional |
The Outside IP Address packets will be translated to (Destination IP Address in the direction selected). | string |
| outside_port optional |
The Outside Port packets will be translated to (Destination port in the direction selected(0: do not NAT the Port)). | integer |
| priority optional read-only |
The order/precedence in which Filters are applied (automatically redistributed). | integer |
| service_name optional |
The Service Name that the translation applies to. | string |
| service_type optional |
The Service Type that the translation applies to. | enum (local, internet, intranet) |
firewall_dynamic_nat_policy¶
Dynamic NAT Policy for firewall
Type : < firewall_dynamic_nat_policy > array
| Name | Description | Schema |
|---|---|---|
| allow_related optional |
To allow packets related to a Connection (ICMP error packets). Default : false |
boolean |
| bind_responder_route optional |
If enabled, the route for the responder's traffic will be bound to the Source Service. Default : false |
boolean |
| direction optional |
The direction, from the Service or Virtual Interface perspective, the translation will operate. Default : "outbound" |
enum (inbound, outbound) |
| enable_gre_pptp_passthrough optional |
To allow a GRE/PPTP session to be translated. Only a single session from the inside network will be permitted. Default : false |
boolean |
| enable_ipsec_passthrough optional |
To allow an IPsec (AH/ESP) session to be translated. Only a single session from the inside network will be permitted. Default : false |
boolean |
| id optional |
Firewall dynamic NATs policy id | integer |
| inside_network_ip_address optional |
The Inside IP Address and Prefix to translate (Source IP Address in the direction selected). | string |
| inside_zone optional |
The Inside Zone to translate. Default : "any" |
enum (any, Internet_Zone, Untrusted_Internet_Zone, Default_LAN_Zone) |
| outside_network_ip_address optional |
The Outside IP Address and Subnet Mask packets will be translated to (Source IP Address in the direction selected). | string |
| outside_zone optional |
The Zone a packet must be destined for to allow translation. | enum (Internet_Zone, Untrusted_Internet_Zone, Default_LAN_Zone) |
| port_forwarding_rules optional |
Port Forwarding Rules | < port_forwarding_rules > array |
| port_parity optional |
If enabled, outside ports for NAT connections will maintain parity (even if inside port is even, odd if outside port is odd). Default : false |
boolean |
| priority optional read-only |
The order/precedence in which Filters are applied (automatically redistributed). | integer |
| service_name optional |
The Service Name that the translation applies to. | string |
| service_type optional |
The Service Type that the translation applies to. | enum (local, internet, intranet) |
| type optional |
The type of Dynamic NAT to perform. Default : "port_restricted" |
enum (port_restricted, symmetric) |
| Name | Description | Schema |
|---|---|---|
| allow_fragments optional |
To enable forwarding of packet fragments. Default : true |
boolean |
| inside_network_ip_address optional |
The Inside IP address to forward to. | string |
| inside_port optional |
The Inside port or port range to forward to. If a range is configured, it must define the name number of ports as the Outside Port. Default : "1-65535" |
string |
| log_connection_end optional |
To generate a log when a Connection matching this Rule is deleted. Default : false |
boolean |
| log_connection_start optional |
To generate a log when a new Connection is created by a packet matching this Rule. Default : false |
boolean |
| log_interval optional |
The time, in seconds, between logging the number of packets matching the rule (0 = disabled, valid settings are 60-600). | integer |
| outside_port optional |
The Outside port or port range to forward. Default : "1-65535" |
string |
| protocol optional |
The IP protocol to forward. Default : "both" |
enum (both, TCP, UDP) |
| track_connection optional |
Whether or not to enable bidirectional connection state tracking for TCP, UDP and ICMP packets matching this Rule. This feature will block flows which appear illegitimate, due to asymmetric routing or failure of checksum, protocol specific validation -- proceed with caution if NetScaler SD-WAN is not fully inline. Default : true |
boolean |
firewall_local_policy¶
Local policy for firewall
Type : < firewall_local_policy > array
| Name | Description | Schema |
|---|---|---|
| action optional |
The Action to take for each packet matching the Filter. Default : "allow" |
enum (allow, drop, reject, count_and_continue) |
| allow_fragments optional |
To allow fragmented packets matching the Filter. Default : true |
boolean |
| application optional |
The Application used as match criteria for this Filter. | string |
| application_family optional |
The Application used as match criteria for this Filter. | string |
| application_objects optional |
The Application used as match criteria for this Filter. Default : "any" |
string |
| destination_ip_address optional |
The Destination IP Address and Subnet Mask that the Filter will match. | string |
| destination_port optional |
The Destination Port or Port Range that the Filter will match. | integer |
| destination_service_name optional |
The Destination service that the filter will match Default : "any" |
string |
| destination_service_type optional |
The Destination Service Type that the Filter will match. Default : "any" |
enum (any, local, virtual_path, internet, intranet, gre_tunnel, lan_ipsec_tunnel, ip_host, multicast) |
| from_zones optional |
Select to filter on the zone the packet originated from Default : "any" |
enum (any, default_lan_zone, internet_zone, untrusted_internet_zone) |
| id optional |
Firewall local policy id | integer |
| ip_dscp optional |
The time, in seconds, to wait for new packets before closing a UDP session that has not seen traffic in both directions. Default : "ANY" |
enum (ANY, DEFAULT, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef) |
| ip_protocol_num optional |
The IP Protocol that the Filter will match. | integer |
| log_connection_end optional |
To generate a log when a Connection matching this Filter is deleted. Default : false |
boolean |
| log_connection_start optional |
To generate a log when a new Connection is created by a packet matching this Filter. Default : false |
boolean |
| log_interval optional |
The time, in seconds, between logging the number of packets matching the filter (0 = disabled, valid settings are 60-600). | integer |
| match_established optional |
To match incoming packets for a Connection to which outgoing packets were allowed. Default : false |
boolean |
| match_type optional |
The Application used as match criteria for this Filter. Default : "any;" |
enum (ip_protocol, application, application_family, application_objects) |
| priority optional |
The order/precedence in which Filters are applied (automatically redistributed). | integer |
| reverse_also optional |
Click the checkbox to automatically add a copy of this Filter with the Source and Destination settings reversed. Default : false |
boolean |
| source_ip_address optional |
The Source IP Address and Subnet Mask that the Filter will match. | string |
| source_port optional |
The Source Port or Port Range that the Filter will match. | integer |
| source_service_name optional |
The Source service that the filter will match Default : "any" |
string |
| source_service_type optional |
The Source Service Type that the Filter will match. Default : "any" |
enum (any, local, virtual_path, internet, intranet, gre_tunnel, lan_ipsec_tunnel, ip_host, multicast) |
| to_zones optional |
Select to filter on the zone the packet is destined to Default : "any" |
enum (any, default_lan_zone, internet_zone, untrusted_internet_zone) |
| track_connection optional |
Whether or not to enable bidirectional connection state tracking for TCP, UDP and ICMP packets matching this Filter. This feature will block flows which appear illegitimate, due to asymmetric routing or failure of checksum, protocol specific validation -- proceed with caution if NetScaler SD-WAN is not fully inline. Default : true |
boolean |
firewall_post_success_schema¶
| Name | Schema |
|---|---|
| firewall optional |
firewall |
| Name | Description | Schema |
|---|---|---|
| message optional |
Example : "resource added succesfully" |
string |
firewall_put_success_schema¶
| Name | Schema |
|---|---|
| firewall optional |
firewall |
| Name | Description | Schema |
|---|---|---|
| message optional |
Example : "resource modified succesfully" |
string |
firewall_request_schema¶
| Name | Schema |
|---|---|
| firewall optional |
firewall |
firewall_response_schema¶
Type : < firewall_response_schema > array
| Name | Schema |
|---|---|
| firewall_destination_nat_policy optional |
firewall_destination_nat_policy |
| firewall_dynamic_nat_policy optional |
firewall_dynamic_nat_policy |
| firewall_local_policy optional |
firewall_local_policy |
| firewall_settings optional |
firewall_settings |
| firewall_static_nat_policy optional |
firewall_static_nat_policy |
| package_name optional |
package_name |
| site_name optional |
site_name |
firewall_settings¶
Basic settings for firewall
Type : < firewall_settings > array
| Name | Description | Schema |
|---|---|---|
| default_firewall_action optional |
The action for packets that do not match a policy. Default : "allow" |
enum (allow, drop) |
| default_track_connection optional |
Whether or not to enable bidirectional connection state tracking for TCP, UDP and ICMP packets that do not match a filter policy or NAT rule. This feature will block flows which appear illegitimate, due to asymmetric routing or failure of checksum, protocol specific validation -- proceed with caution if NetScaler SD-WAN is not fully inline. Default : true |
boolean |
| generic_idle_timeout_seconds optional |
The time, in seconds, to wait for new packets before closing an active generic session. | integer |
| generic_initial_timeout_seconds optional |
The time, in seconds, to wait for new packets before closing a generic session that has not seen traffic in both directions. | integer |
| icmp_idle_timeout_seconds optional |
The time, in seconds, to wait for new packets before closing an active ICMP session. | integer |
| icmp_initial_timeout_seconds optional |
The time, in seconds, to wait for new packets before closing an ICMP session that has not seen traffic in both directions. | integer |
| max_new_connections_per_source optional |
The maximum number of non-established Connections to allow per Source IP Address. 0 = unlimited. | integer |
| policy_template_name optional |
This is the name of the Policy Template defined globally whose filters will be included in this site's collection of firewall filters. | string |
| priority optional read-only |
The order/precedence in which Filters are applied (automatically redistributed). | integer |
| source_route_validation optional |
If enabled, packets will be dropped when received on an interface that differs from the packet's route, as determined by the Source IP address. Default : false |
boolean |
| tcp_closed_timeout_seconds optional |
The time, in seconds, to wait for new packets before closing an aborted TCP session. | integer |
| tcp_closing_timeout_seconds optional |
The time, in seconds, to wait for new packets before closing a TCP session after a request to terminate. | integer |
| tcp_idle_timeout_seconds optional |
The time, in seconds, to wait for new packets before closing an active TCP session. | integer |
| tcp_initial_timeout_seconds optional |
The time, in seconds, to wait for new packets before closing a TCP session that has not completed a handshake. | integer |
| tcp_timewait_seconds optional |
The time, in seconds, to wait for new packets before closing a terminated TCP session. | integer |
| udp_idle_timeout_seconds optional |
The time, in seconds, to wait for new packets before closing an active UDP session. | integer |
| udp_initial_timeout_seconds optional |
The time, in seconds, to wait for new packets before closing a UDP session that has not seen traffic in both directions. | integer |
| untracked_and_denied_timeout_seconds optional |
The time, in seconds, to wait for new packets before closing Untracked or Denied Connections. | integer |
firewall_static_nat_policy¶
Static NAT Policy for firewall
Type : < firewall_static_nat_policy > array
| Name | Description | Schema |
|---|---|---|
| bind_responder_route optional |
If enabled, the route for the responder's traffic will be bound to the Source Service. Default : false |
boolean |
| direction optional |
The direction, from the Service or Virtual Interface perspective, the translation will operate. Default : "outbound" |
enum (inbound, outbound) |
| id optional |
Firewall local policy id | integer |
| inside_network_ip_address optional |
The Inside IP Address and Prefix to translate (Source IP Address in the direction selected). | string |
| inside_zone optional |
The Zone a packet must be from to allow translation. Default : "Internet_Zone" |
enum (Internet_Zone, Untrusted_Internet_Zone, Default_LAN_Zone) |
| outside_network_ip_address optional |
The Outside IP Address and Subnet Mask packets will be translated to (Source IP Address in the direction selected). | string |
| outside_zone optional |
The Zone a packet must be destined for to allow translation. Default : "Default_LAN_Zone" |
enum (Internet_Zone, Untrusted_Internet_Zone, Default_LAN_Zone) |
| priority optional read-only |
The order/precedence in which Filters are applied (automatically redistributed). | integer |
| service_name optional |
The Service Name that the translation applies to. | string |
| service_type optional |
The Service Type that the translation applies to. | enum (local, internet, intranet) |
package_name¶
Config package name using which the firewall API operation should be performed.
Type : string
site_name¶
Site Name
Type : string