.. _rule_set: rule-set ======== Configure Security policy Rule Set rule-set Specification ---------------------- ===================================== ======================================================== **Parameter** **Value** ===================================== ======================================================== **Type** *Collection* **Object Key(s)** *name* **Collection Name** :ref:`2588_rule-set_list` **Collection URI** /axapi/v3/rule-set **Element Name** rule-set **Element URI** /axapi/v3/rule-set/{name} **Element Attributes** rule-set_attributes **Partition Visibility** shared **Statistics Data URI** /axapi/v3/rule-set/{name}/stats **Operational Data URI** /axapi/v3/rule-set/{name}/oper **Schema** :download:`rule-set schema ` ===================================== ======================================================== **Operations Allowed:** .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html
OperationMethodURIPayload
Create Object .. raw:: html POST .. raw:: html /axapi/v3/rule-set .. raw:: html :ref:`2588_rule-set_attributes` .. raw:: html
Create List .. raw:: html POST .. raw:: html /axapi/v3/rule-set .. raw:: html :ref:`2588_rule-set_attributes` .. raw:: html
Get Object .. raw:: html GET .. raw:: html /axapi/v3/rule-set/{name} .. raw:: html :ref:`2588_rule-set_attributes` .. raw:: html
Get List .. raw:: html GET .. raw:: html /axapi/v3/rule-set .. raw:: html :ref:`2588_rule-set_list` .. raw:: html
Modify Object .. raw:: html POST .. raw:: html /axapi/v3/rule-set/{name} .. raw:: html :ref:`2588_rule-set_attributes` .. raw:: html
Replace Object .. raw:: html PUT .. raw:: html /axapi/v3/rule-set/{name} .. raw:: html :ref:`2588_rule-set_attributes` .. raw:: html
Replace List .. raw:: html PUT .. raw:: html /axapi/v3/rule-set .. raw:: html :ref:`2588_rule-set_list` .. raw:: html
Delete Object .. raw:: html DELETE .. raw:: html /axapi/v3/rule-set/{name} .. raw:: html :ref:`2588_rule-set_attributes` .. raw:: html
.. _2588_rule-set_list: rule-set-list ------------- rule-set-list is **JSON List** of :ref:`2588_rule-set_attributes` rule-set-list : [ { :ref:`2588_rule-set_attributes` }, { :ref:`2588_rule-set_attributes` }, ... ] .. _2588_rule-set_attributes: rule-set attributes ------------------- **app** **Description:** app is a **JSON Block**. Please see below for :ref:`2588_app` **Type:** Object **Reference Object:** :doc:`/axapi/v3/rule-set/{name}/app ` **application** **Description:** application is a **JSON Block**. Please see below for :ref:`2588_application` **Type:** Object **Reference Object:** :doc:`/axapi/v3/rule-set/{name}/application ` **name** **Description** Rule set name **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **packet-capture-template** **Description** Name of the packet capture template to be bind with this object **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/visibility/packet-capture/object-templates/rule-set-tmpl ` **remark** **Description** Rule set entry comment (Notes for this rule set) **Type:** string **Format:** string-rlx **Maximum Length:** 255 characters **Maximum Length:** 1 characters **rule-list** **Type:** List **Reference Object:** :doc:`/axapi/v3/rule-set/{name}/rule/{name} ` **rules-by-zone** **Description:** rules-by-zone is a **JSON Block**. Please see below for :ref:`2588_rules-by-zone` **Type:** Object **Reference Object:** :doc:`/axapi/v3/rule-set/{name}/rules-by-zone ` **sampling-enable** **Type:** List **session-statistic** **Description** 'enable': Enable session based statistic (Default); 'disable': Disable session based statistic; **Type:** string **Supported Values:** enable, disable **Default:** enable **tag** **Description:** tag is a **JSON Block**. Please see below for :ref:`2588_tag` **Type:** Object **Reference Object:** :doc:`/axapi/v3/rule-set/{name}/tag ` **track-app-rule-list** **Description:** track-app-rule-list is a **JSON Block**. Please see below for :ref:`2588_track-app-rule-list` **Type:** Object **Reference Object:** :doc:`/axapi/v3/rule-set/{name}/track-app-rule-list ` **user-tag** **Description** Customized tag **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _2588_app: app ^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _2588_track-app-rule-list: track-app-rule-list ^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _2588_application: application ^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _2588_sampling-enable: sampling-enable ^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **counters1** **Description** 'all': all; 'unmatched-drops': Unmatched drops counter; 'permit': Permitted counter; 'deny': Denied counter; 'reset': Reset counter; **Type:** string **Supported Values:** all, unmatched-drops, permit, deny, reset .. _2588_tag: tag ^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _2588_rule-list: rule-list ^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **action** **Description** 'permit': permit; 'deny': deny; 'reset': reset; **Type:** string **Supported Values:** permit, deny, reset **action-group** **Description:** action-group is a **JSON Block**. Please see below for :ref:`2588_rule-list_action-group` **Type:** Object **Reference Object:** :doc:`/axapi/v3/rule-set/{name}/rule/{name}/action-group ` **app-list** **Type:** List **application-any** **Description** 'any': any; **Type:** string **Supported Values:** any **Default:** any **Mutual Exclusion:** application-any,obj-grp-application, protocol, and protocol-tag are mutually exclusive **cgnv6-ds-lite** **Description** 'lsn-lid': Apply specified CGNv6 LSN LID; **Type:** string **Supported Values:** lsn-lid **cgnv6-ds-lite-log** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **cgnv6-ds-lite-lsn-lid** **Description** LSN LID **Type:** number **Range:** 1-1023 **cgnv6-fixed-nat-log** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **cgnv6-log** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** cgnv6-log and cgnv6-policy are mutually exclusive **cgnv6-lsn-lid** **Description** LSN LID **Type:** number **Range:** 1-1023 **cgnv6-lsn-log** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **cgnv6-policy** **Description** 'lsn-lid': Apply specified CGNv6 LSN LID; 'fixed-nat': Apply CGNv6 Fixed NAT; 'ds-lite': Apply CGNv6 DS-Lite; **Type:** string **Supported Values:** lsn-lid, fixed-nat, ds-lite **Mutual Exclusion:** cgnv6-policy and cgnv6-log are mutually exclusive **dest-list** **Type:** List **dscp-list** **Type:** List **dst-class-list** **Description** Match destination IP against class-list **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** dst-class-list,dst-ipv4-any, dst-ipv6-any, dst-ip-subnet, dst-ipv6-subnet, dst-obj-network, dst-obj-grp-network, dst-slb-server, and dst-slb-vserver are mutually exclusive **Reference Object:** :doc:`/axapi/v3/class-list ` **dst-domain-list** **Description** Match destination IP against domain-list **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** dst-domain-list, dst-ipv4-any, and dst-ipv6-any are mutually exclusive **Reference Object:** :doc:`/axapi/v3/domain-list ` **dst-geoloc-list** **Description** Geolocation name list **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** dst-geoloc-list,dst-geoloc-name, dst-ip-subnet, dst-ipv6-subnet, dst-obj-network, dst-obj-grp-network, dst-slb-server, and dst-slb-vserver are mutually exclusive **dst-geoloc-list-shared** **Description** Use Geolocation list from shared partition **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **dst-geoloc-name** **Description** Single geolocation name **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **Mutual Exclusion:** dst-geoloc-name,dst-geoloc-list, dst-ip-subnet, dst-ipv6-subnet, dst-obj-network, dst-obj-grp-network, dst-slb-server, and dst-slb-vserver are mutually exclusive **dst-ipv4-any** **Description** 'any': Any IPv4 address; **Type:** string **Supported Values:** any **Default:** any **Mutual Exclusion:** dst-ipv4-any,dst-ipv6-any, dst-class-list, dst-ip-subnet, dst-ipv6-subnet, dst-obj-network, dst-obj-grp-network, dst-slb-server, dst-slb-vserver, and dst-domain-list are mutually exclusive **dst-ipv6-any** **Description** 'any': Any IPv6 address; **Type:** string **Supported Values:** any **Default:** any **Mutual Exclusion:** dst-ipv6-any,dst-ipv4-any, dst-class-list, dst-ip-subnet, dst-ipv6-subnet, dst-obj-network, dst-obj-grp-network, dst-slb-server, dst-slb-vserver, and dst-domain-list are mutually exclusive **dst-threat-list** **Description** Bind threat-list for destination IP based filtering **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/threat-intel/threat-list ` **dst-zone** **Description** Zone name **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **Mutual Exclusion:** dst-zone and dst-zone-any are mutually exclusive **Reference Object:** :doc:`/axapi/v3/zone ` **dst-zone-any** **Description** 'any': any; **Type:** string **Supported Values:** any **Default:** any **Mutual Exclusion:** dst-zone-any and dst-zone are mutually exclusive **forward-listen-on-port** **Description** Listen on port **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **forward-log** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **fw-log** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **fwlog** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **gtp-template** **Description** Configure GTP Policy Template (GTP Template Policy Name) **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/template/gtp-policy ` **idle-timeout** **Description** TCP/UDP idle-timeout **Type:** number **Range:** 1-2097151 **inspect-payload** **Description** Enable DS-Lite tunnel inspection **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **ip-version** **Description** 'v4': IPv4 rule; 'v6': IPv6 rule; **Type:** string **Supported Values:** v4, v6 **Default:** v4 **lid** **Description** Apply a Template LID **Type:** number **Range:** 1-1023 **lidlog** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **listen-on-port** **Description** Listen on port **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** listen-on-port and log are mutually exclusive **listen-on-port-lid** **Description** Apply a Template LID **Type:** number **Range:** 1-1023 **listen-on-port-lidlog** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **log** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** log, listen-on-port, and policy are mutually exclusive **move-rule** **Description:** move-rule is a **JSON Block**. Please see below for :ref:`2588_rule-list_move-rule` **Type:** Object **Reference Object:** :doc:`/axapi/v3/rule-set/{name}/rule/{name}/move-rule ` **name** **Description** Rule name **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **policy** **Description** 'cgnv6': Apply CGNv6 policy; 'forward': Forward packet; 'ipsec': Apply IPsec encapsulation; 'ipsec-group': Apply IPsec encapsulation from a group; **Type:** string **Supported Values:** cgnv6, forward, ipsec, ipsec-group **Mutual Exclusion:** policy and log are mutually exclusive **remark** **Description** Rule entry comment (Notes for this rule) **Type:** string **Format:** string-rlx **Maximum Length:** 255 characters **Maximum Length:** 1 characters **reset-lid** **Description** Apply a Template LID **Type:** number **Range:** 1-1023 **reset-lidlog** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **sampling-enable** **Type:** List **service-any** **Description** 'any': any; **Type:** string **Supported Values:** any **Default:** any **Mutual Exclusion:** service-any,protocols, proto-id, obj-grp-service, icmp, and icmpv6 are mutually exclusive **service-list** **Type:** List **source-list** **Type:** List **src-class-list** **Description** Match source IP against class-list **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** src-class-list,src-ipv4-any, src-ipv6-any, src-ip-subnet, src-ipv6-subnet, src-obj-network, src-obj-grp-network, and src-slb-server are mutually exclusive **Reference Object:** :doc:`/axapi/v3/class-list ` **src-geoloc-list** **Description** Geolocation name list **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** src-geoloc-list,src-geoloc-name, src-ip-subnet, src-ipv6-subnet, src-obj-network, src-obj-grp-network, and src-slb-server are mutually exclusive **src-geoloc-list-shared** **Description** Use Geolocation list from shared partition **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **src-geoloc-name** **Description** Single geolocation name **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **Mutual Exclusion:** src-geoloc-name,src-geoloc-list, src-ip-subnet, src-ipv6-subnet, src-obj-network, src-obj-grp-network, and src-slb-server are mutually exclusive **src-ipv4-any** **Description** 'any': Any IPv4 address; **Type:** string **Supported Values:** any **Default:** any **Mutual Exclusion:** src-ipv4-any,src-ipv6-any, src-class-list, src-ip-subnet, src-ipv6-subnet, src-obj-network, src-obj-grp-network, and src-slb-server are mutually exclusive **src-ipv6-any** **Description** 'any': Any IPv6 address; **Type:** string **Supported Values:** any **Default:** any **Mutual Exclusion:** src-ipv6-any,src-ipv4-any, src-class-list, src-ip-subnet, src-ipv6-subnet, src-obj-network, src-obj-grp-network, and src-slb-server are mutually exclusive **src-threat-list** **Description** Bind threat-list for source IP based filtering **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/threat-intel/threat-list ` **src-zone** **Description** Zone name **Type:** string **Maximum Length:** 128 characters **Maximum Length:** 1 characters **Mutual Exclusion:** src-zone and src-zone-any are mutually exclusive **Reference Object:** :doc:`/axapi/v3/zone ` **src-zone-any** **Description** 'any': any; **Type:** string **Supported Values:** any **Default:** any **Mutual Exclusion:** src-zone-any and src-zone are mutually exclusive **status** **Description** 'enable': Enable rule; 'disable': Disable rule; **Type:** string **Supported Values:** enable, disable **Default:** enable **track-application** **Description** Enable application statistic (functional only in action permit) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **user-tag** **Description** Customized tag **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters **vpn-ipsec-group-name** **Description** VPN IPsec Group name **Type:** string **Maximum Length:** 31 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/vpn/ipsec-group ` **vpn-ipsec-name** **Description** VPN IPsec name **Type:** string **Maximum Length:** 31 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/vpn/ipsec ` .. _2588_rule-list_sampling-enable: rule-list_sampling-enable ^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **counters1** **Description** 'all': all; 'hit-count': Hit counts; 'permit-bytes': Permitted bytes counter; 'deny-bytes': Denied bytes counter; 'reset-bytes': Reset bytes counter; 'permit-packets': Permitted packets counter; 'deny-packets': Denied packets counter; 'reset-packets': Reset packets counter; 'active-session-tcp': Active TCP session counter; 'active-session-udp': Active UDP session counter; 'active-session-icmp': Active ICMP session counter; 'active-session-other': Active other protocol session counter; 'session-tcp': TCP session counter; 'session-udp': UDP session counter; 'session-icmp': ICMP session counter; 'session-other': Other protocol session counter; 'active-session-sctp': Active SCTP session counter; 'session-sctp': SCTP session counter; 'hitcount-timestamp': Last hit counts timestamp; 'rate-limit-drops': Rate Limit Drops; **Type:** string **Supported Values:** all, hit-count, permit-bytes, deny-bytes, reset-bytes, permit-packets, deny-packets, reset-packets, active-session-tcp, active-session-udp, active-session-icmp, active-session-other, session-tcp, session-udp, session-icmp, session-other, active-session-sctp, session-sctp, hitcount-timestamp, rate-limit-drops .. _2588_rule-list_dscp-list: rule-list_dscp-list ^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **dscp-range-end** **Description** Ending DSCP Number **Type:** number **Range:** 1-63 **dscp-range-start** **Description** Start DSCP Number **Type:** number **Range:** 1-63 **dscp-value** **Description** 'default': Default dscp (000000); 'af11': AF11 (001010); 'af12': AF12 (001100); 'af13': AF13 (001110); 'af21': AF21 (010010); 'af22': AF22 (010100); 'af23': AF23 (010110); 'af31': AF31 (011010); 'af32': AF32 (011100); 'af33': AF33 (011110); 'af41': AF41 (100010); 'af42': AF42 (100100); 'af43': AF43 (100110); 'cs1': CS1 (001000); 'cs2': CS2 (010000); 'cs3': CS3 (011000); 'cs4': CS4 (100000); 'cs5': CS5 (101000); 'cs6': CS6 (110000); 'cs7': CS7 (111000); 'ef': EF (101110); **Type:** string **Supported Values:** default, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef **Mutual Exclusion:** dscp-value and dscp-range are mutually exclusive .. _2588_rule-list_app-list: rule-list_app-list ^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **obj-grp-application** **Description** Application object group **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** obj-grp-application and application-any are mutually exclusive **Reference Object:** :doc:`/axapi/v3/object-group/application ` **protocol** **Description** Specify application(s) **Type:** string **Format:** string-rlx **Maximum Length:** 31 characters **Maximum Length:** 1 characters **Mutual Exclusion:** protocol and application-any are mutually exclusive **protocol-tag** **Description** 'aaa': Protocol/application used for AAA (Authentification, Authorization and Accounting) purposes.; 'adult-content': Adult content protocol/application.; 'advertising': Advertising networks and applications.; 'application-enforcing-tls': Application known to enforce HSTS and thus use of TLS.; 'analytics-and-statistics': User analytics and statistics protocol/application.; 'anonymizers-and-proxies': Traffic-anonymization protocol/application.; 'audio-chat': Protocol/application used for Audio Chat.; 'basic': Covers all protocols required for basic classification, including most networking protocols as well as standard protocols like HTTP.; 'blog': Blogging platform protocol/application.; 'cdn': Protocol/application used for Content-Delivery Networks.; 'certification-authority': Certification Authority for SSL/TLS certificate.; 'chat': Protocol/application used for Text Chat.; 'classified-ads': Protocol/application used for Classified Advertisements.; 'cloud-based-services': SaaS and/or PaaS cloud based services.; 'crowdfunding': Service for funding a project or venture by raising small amounts of money from a large number of people, typically via the Internet.; 'cryptocurrency': Services for mining cryptocurrencies, for example a Crypto Web Browser (an application that mines crypto currency in the background while its user browses the web).; 'database': Database-specific protocols.; 'disposable-email': Service offering Disposable Email Accounts (DEA). DEA is a technique to share temporary email address between many users.; 'ebook-reader': Services for e-book readers, i.e. connected devices that display electronic books (typically using e-ink displays to reduce glare and eye strain).; 'education': Protocols offering education services and online courses.; 'email': Native email protocol.; 'enterprise': Protocol/application used in an enterprise network.; 'file-management': Protocol/application designed specifically for file management and exchange. This can include bona fide network protocols (like SMB) as well as web/cloud services (like Dropbox).; 'file-transfer': Protocol that offers file transferring as a secondary feature. This typically includes IM, WebMail, and other protocols that allow file transfers in addition to their principal function.; 'forum': Online forum protocol/application.; 'gaming': Protocol/application used by games.; 'healthcare': Protocols offering medical services, i.e protocols used in medical environment.; 'instant-messaging-and-multimedia-conferencing': Protocol/application used for Instant Messaging or Multi-Conferencing.; 'internet-of-things': Internet Of Things protocol/application.; 'map-service': Digital Maps service (web site and their related API).; 'mobile': Mobile-specific protocol/application.; 'multimedia-streaming': Protocol/application used for multimedia streaming.; 'networking': Protocol used for (inter) networking purpose.; 'news-portal': Protocol/application used for News Portals.; 'payment-service': Application offering online services for accepting electronic payments by a variety of payment methods (credit card, bank-based payments such as direct debit, bank transfer, etc).; 'peer-to-peer': Protocol/application used for Peer-to-peer purposes.; 'remote-access': Protocol/application used for remote access.; 'scada': SCADA (Supervisory control and data acquisition) protocols, all generations.; 'social-networks': Social networking application.; 'software-update': Auto-update protocol.; 'speedtest': Speedtest application allowing to access quality of Internet connection (upload, download, latency, etc).; 'standards-based': Protocol issued from standardized bodies such as IETF, ITU, IEEE, ETSI, OIF.; 'transportation': Transportation services, for example smartphone applications that allow users to hail a taxi.; 'video-chat': Protocol/application used for Video Chat.; 'voip': Application used for Voice-Over-IP.; 'vpn-tunnels': Protocol/application used for VPN or tunneling purposes.; 'web': Application based on HTTP/HTTPS.; 'web-e-commerce': Protocol/application used for E-commerce websites.; 'web-search-engines': Protocol/application used for Web search portals.; 'web-websites': Protocol/application used for Company Websites.; 'webmails': Web-based e-mail application.; 'web-ext-adult': Web Extension Adult; 'web-ext-auctions': Web Extension Auctions; 'web-ext-blogs': Web Extension Blogs; 'web-ext-business-and-economy': Web Extension Business and Economy; 'web-ext-cdns': Web Extension CDNs; 'web-ext-collaboration': Web Extension Collaboration; 'web-ext-computer-and-internet-info': Web Extension Computer and Internet Info; 'web-ext-computer-and-internet-security': Web Extension Computer and Internet Security; 'web-ext-dating': Web Extension Dating; 'web-ext-educational-institutions': Web Extension Educational Institutions; 'web-ext-entertainment-and-arts': Web Extension Entertainment and Arts; 'web-ext-fashion-and-beauty': Web Extension Fashion and Beauty; 'web-ext-file-share': Web Extension File Share; 'web-ext-financial-services': Web Extension Financial Services; 'web-ext-gambling': Web Extension Gambling; 'web-ext-games': Web Extension Games; 'web-ext-government': Web Extension Government; 'web-ext-health-and-medicine': Web Extension Health and Medicine; 'web-ext-individual-stock-advice-and-tools': Web Extension Individual Stock Advice and Tools; 'web-ext-internet-portals': Web Extension Internet Portals; 'web-ext-job-search': Web Extension Job Search; 'web-ext-local-information': Web Extension Local Information; 'web-ext-malware': Web Extension Malware; 'web-ext-motor-vehicles': Web Extension Motor Vehicles; 'web-ext-music': Web Extension Music; 'web-ext-news': Web Extension News; 'web-ext-p2p': Web Extension P2P; 'web-ext-parked-sites': Web Extension Parked Sites; 'web-ext-proxy-avoid-and-anonymizers': Web Extension Proxy Avoid and Anonymizers; 'web-ext-real-estate': Web Extension Real Estate; 'web-ext-reference-and-research': Web Extension Reference and Research; 'web-ext-search-engines': Web Extension Search Engines; 'web-ext-shopping': Web Extension Shopping; 'web-ext-social-network': Web Extension Social Network; 'web-ext-society': Web Extension Society; 'web-ext-software': Web Extension Software; 'web-ext-sports': Web Extension Sports; 'web-ext-streaming-media': Web Extension Streaming Media; 'web-ext-training-and-tools': Web Extension Training and Tools; 'web-ext-translation': Web Extension Translation; 'web-ext-travel': Web Extension Travel; 'web-ext-web-advertisements': Web Extension Web Advertisements; 'web-ext-web-based-email': Web Extension Web based Email; 'web-ext-web-hosting': Web Extension Web Hosting; 'web-ext-web-service': Web Extension Web Service; **Type:** string **Supported Values:** aaa, adult-content, advertising, application-enforcing-tls, analytics-and-statistics, anonymizers-and-proxies, audio-chat, basic, blog, cdn, certification-authority, chat, classified-ads, cloud-based-services, crowdfunding, cryptocurrency, database, disposable-email, ebook-reader, education, email, enterprise, file-management, file-transfer, forum, gaming, healthcare, instant-messaging-and-multimedia-conferencing, internet-of-things, map-service, mobile, multimedia-streaming, networking, news-portal, payment-service, peer-to-peer, remote-access, scada, social-networks, software-update, speedtest, standards-based, transportation, video-chat, voip, vpn-tunnels, web, web-e-commerce, web-search-engines, web-websites, webmails, web-ext-adult, web-ext-auctions, web-ext-blogs, web-ext-business-and-economy, web-ext-cdns, web-ext-collaboration, web-ext-computer-and-internet-info, web-ext-computer-and-internet-security, web-ext-dating, web-ext-educational-institutions, web-ext-entertainment-and-arts, web-ext-fashion-and-beauty, web-ext-file-share, web-ext-financial-services, web-ext-gambling, web-ext-games, web-ext-government, web-ext-health-and-medicine, web-ext-individual-stock-advice-and-tools, web-ext-internet-portals, web-ext-job-search, web-ext-local-information, web-ext-malware, web-ext-motor-vehicles, web-ext-music, web-ext-news, web-ext-p2p, web-ext-parked-sites, web-ext-proxy-avoid-and-anonymizers, web-ext-real-estate, web-ext-reference-and-research, web-ext-search-engines, web-ext-shopping, web-ext-social-network, web-ext-society, web-ext-software, web-ext-sports, web-ext-streaming-media, web-ext-training-and-tools, web-ext-translation, web-ext-travel, web-ext-web-advertisements, web-ext-web-based-email, web-ext-web-hosting, web-ext-web-service **Mutual Exclusion:** protocol-tag and application-any are mutually exclusive .. _2588_rule-list_action-group: rule-list_action-group ^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **cgnv6** **Description** Apply CGNv6 policy **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** cgnv6,listen-on-port, forward, ipsec, and ipsec-group are mutually exclusive **cgnv6-ds-lite** **Description** 'lsn-lid': Apply specified CGNv6 LSN LID; **Type:** string **Supported Values:** lsn-lid **cgnv6-ds-lite-lsn-lid** **Description** LSN LID **Type:** number **Range:** 1-1023 **cgnv6-lsn-lid** **Description** LSN LID **Type:** number **Range:** 1-1023 **cgnv6-policy** **Description** 'lsn-lid': Apply specified CGNv6 LSN LID; 'fixed-nat': Apply CGNv6 Fixed NAT; 'ds-lite': Apply CGNv6 DS-Lite; **Type:** string **Supported Values:** lsn-lid, fixed-nat, ds-lite **deny-fw-log** **Description** Logging template name **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/fw/template/logging ` **deny-log** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **deny-log-template-type** **Description** 'fw-logging-template': Logging with specified fw template; **Type:** string **Supported Values:** fw-logging-template **dscp-number** **Description** DSCP Number **Type:** number **Range:** 0-63 **Mutual Exclusion:** dscp-number and dscp-value are mutually exclusive **dscp-value** **Description** 'default': Default dscp (000000); 'af11': AF11 (001010); 'af12': AF12 (001100); 'af13': AF13 (001110); 'af21': AF21 (010010); 'af22': AF22 (010100); 'af23': AF23 (010110); 'af31': AF31 (011010); 'af32': AF32 (011100); 'af33': AF33 (011110); 'af41': AF41 (100010); 'af42': AF42 (100100); 'af43': AF43 (100110); 'cs1': CS1 (001000); 'cs2': CS2 (010000); 'cs3': CS3 (011000); 'cs4': CS4 (100000); 'cs5': CS5 (101000); 'cs6': CS6 (110000); 'cs7': CS7 (111000); 'ef': EF (101110); **Type:** string **Supported Values:** default, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef **Mutual Exclusion:** dscp-value and dscp-number are mutually exclusive **forward** **Description** Forward packet **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** forward,ipsec, ipsec-group, and cgnv6 are mutually exclusive **inspect-payload** **Description** Enable DS-Lite tunnel inspection **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **ipsec** **Description** Apply IPsec encapsulation **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** ipsec,permit-log, listen-on-port, forward, ipsec-group, cgnv6, and permit-respond-to-user-mac are mutually exclusive **ipsec-group** **Description** Apply IPsec Group encapsulation **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** ipsec-group,permit-log, listen-on-port, forward, ipsec, and cgnv6 are mutually exclusive **listen-on-port** **Description** Listen on port **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** listen-on-port,ipsec, ipsec-group, and cgnv6 are mutually exclusive **logging-template-list** **Type:** List **permit-limit-policy** **Description** Limit policy Template **Type:** number **Range:** 1-1023 **Reference Object:** :doc:`/axapi/v3/template/limit-policy ` **permit-log** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** permit-log, ipsec, and ipsec-group are mutually exclusive **permit-respond-to-user-mac** **Description** Use the user's source MAC for the next hop rather than the routing table (default:off) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** permit-respond-to-user-mac and ipsec are mutually exclusive **reset-fw-log** **Description** Logging template name **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/fw/template/logging ` **reset-log** **Description** Enable logging **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **reset-log-template-type** **Description** 'fw-logging-template': Logging with specified fw template; **Type:** string **Supported Values:** fw-logging-template **reset-respond-to-user-mac** **Description** Use the user's source MAC for the next hop rather than the routing table (default:off) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **set-dscp** **Description** DSCP setting **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **type** **Description** 'permit': permit; 'deny': deny; 'reset': reset; **Type:** string **Supported Values:** permit, deny, reset **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters **vpn-ipsec-group-name** **Description** VPN IPsec Group name **Type:** string **Maximum Length:** 31 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/vpn/ipsec-group ` **vpn-ipsec-name** **Description** VPN IPsec name **Type:** string **Maximum Length:** 31 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/vpn/ipsec ` .. _2588_rule-list_action-group_logging-template-list: rule-list_action-group_logging-template-list ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **permit-cgnv6-log** **Description** Logging template name **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/cgnv6/template/logging ` **permit-fw-log** **Description** Logging template name **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/fw/template/logging ` **permit-log-template-type** **Description** 'fw-logging-template': Logging with specified fw template; 'cgnv6-logging-template': Logging with specified cgnv6 template; 'netflow-monitor': Logging with specified netflow/ipfix monitor; **Type:** string **Supported Values:** fw-logging-template, cgnv6-logging-template, netflow-monitor **permit-netflow-log** **Description** Name of netflow monitor **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/netflow/monitor ` .. _2588_rule-list_dest-list: rule-list_dest-list ^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **dst-ip-subnet** **Description** IPv4 IP Address **Type:** string **Format:** ipv4-cidr **Mutual Exclusion:** dst-ip-subnet,dst-geoloc-name, dst-geoloc-list, dst-ipv4-any, dst-ipv6-any, dst-class-list, and dst-ipv6-subnet are mutually exclusive **dst-ipv6-subnet** **Description** IPv6 IP Address **Type:** string **Format:** ipv6-address-plen **Mutual Exclusion:** dst-ipv6-subnet,dst-geoloc-name, dst-geoloc-list, dst-ipv4-any, dst-ipv6-any, dst-class-list, and dst-ip-subnet are mutually exclusive **dst-obj-grp-network** **Description** Network object group **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** dst-obj-grp-network,dst-geoloc-name, dst-geoloc-list, dst-ipv4-any, dst-ipv6-any, and dst-class-list are mutually exclusive **Reference Object:** :doc:`/axapi/v3/object-group/network ` **dst-obj-network** **Description** Network object **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** dst-obj-network,dst-geoloc-name, dst-geoloc-list, dst-ipv4-any, dst-ipv6-any, and dst-class-list are mutually exclusive **Reference Object:** :doc:`/axapi/v3/object/network ` **dst-slb-server** **Description** SLB Real server name **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **Mutual Exclusion:** dst-slb-server,dst-geoloc-name, dst-geoloc-list, dst-ipv4-any, dst-ipv6-any, and dst-class-list are mutually exclusive **Reference Object:** :doc:`/axapi/v3/slb/server ` **dst-slb-vserver** **Description** SLB Virtual server name **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **Mutual Exclusion:** dst-slb-vserver,dst-geoloc-name, dst-geoloc-list, dst-ipv4-any, dst-ipv6-any, and dst-class-list are mutually exclusive **Reference Object:** :doc:`/axapi/v3/slb/virtual-server ` .. _2588_rule-list_move-rule: rule-list_move-rule ^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **location** **Description** 'top': top; 'before': before; 'after': after; 'bottom': bottom; **Type:** string **Supported Values:** top, before, after, bottom **Default:** bottom **target-rule** **Description** **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters .. _2588_rule-list_source-list: rule-list_source-list ^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **src-ip-subnet** **Description** IPv4 IP Address **Type:** string **Format:** ipv4-cidr **Mutual Exclusion:** src-ip-subnet,src-geoloc-name, src-geoloc-list, src-ipv4-any, src-ipv6-any, src-class-list, and src-ipv6-subnet are mutually exclusive **src-ipv6-subnet** **Description** IPv6 IP Address **Type:** string **Format:** ipv6-address-plen **Mutual Exclusion:** src-ipv6-subnet,src-geoloc-name, src-geoloc-list, src-ipv4-any, src-ipv6-any, src-class-list, and src-ip-subnet are mutually exclusive **src-obj-grp-network** **Description** Network object group **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** src-obj-grp-network,src-geoloc-name, src-geoloc-list, src-ipv4-any, src-ipv6-any, and src-class-list are mutually exclusive **Reference Object:** :doc:`/axapi/v3/object-group/network ` **src-obj-network** **Description** Network object **Type:** string **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** src-obj-network,src-geoloc-name, src-geoloc-list, src-ipv4-any, src-ipv6-any, and src-class-list are mutually exclusive **Reference Object:** :doc:`/axapi/v3/object/network ` **src-slb-server** **Description** SLB Real server name **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **Mutual Exclusion:** src-slb-server,src-geoloc-name, src-geoloc-list, src-ipv4-any, src-ipv6-any, and src-class-list are mutually exclusive **Reference Object:** :doc:`/axapi/v3/slb/server ` .. _2588_rule-list_service-list: rule-list_service-list ^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **alg** **Description** 'FTP': FTP; 'TFTP': TFTP; 'SIP': SIP; 'DNS': DNS; 'PPTP': PPTP; 'RTSP': RTSP; 'ESP': ESP; **Type:** string **Supported Values:** FTP, TFTP, SIP, DNS, PPTP, RTSP, ESP **eq-dst-port** **Description** Equal to the port number **Type:** number **Range:** 1-65535 **eq-src-port** **Description** Equal to the port number **Type:** number **Range:** 1-65535 **gt-dst-port** **Description** Greater than the port number **Type:** number **Range:** 1-65534 **gt-src-port** **Description** Greater than the port number **Type:** number **Range:** 1-65534 **icmp** **Description** ICMP **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** icmp, service-any, and icmpv6 are mutually exclusive **icmp-code** **Description** ICMP code number **Type:** number **Range:** 0-254 **Mutual Exclusion:** icmp-code and special-code are mutually exclusive **icmp-type** **Description** ICMP type number **Type:** number **Range:** 0-254 **Mutual Exclusion:** icmp-type and special-type are mutually exclusive **icmpv6** **Description** ICMPv6 **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** icmpv6, service-any, and icmp are mutually exclusive **icmpv6-code** **Description** ICMPv6 code number **Type:** number **Range:** 0-254 **Mutual Exclusion:** icmpv6-code and special-v6-code are mutually exclusive **icmpv6-type** **Description** ICMPv6 type number **Type:** number **Range:** 0-254 **Mutual Exclusion:** icmpv6-type and special-v6-type are mutually exclusive **lt-dst-port** **Description** Lower than the port number **Type:** number **Range:** 2-65535 **lt-src-port** **Description** Lower than the port number **Type:** number **Range:** 2-65535 **obj-grp-service** **Description** service object group **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Mutual Exclusion:** obj-grp-service and service-any are mutually exclusive **Reference Object:** :doc:`/axapi/v3/object-group/service ` **port-num-end-dst** **Description** Ending Port Number **Type:** number **Range:** 1-65535 **port-num-end-src** **Description** Ending Port Number **Type:** number **Range:** 1-65535 **proto-id** **Description** Protocol ID **Type:** number **Range:** 0-255 **Mutual Exclusion:** proto-id and service-any are mutually exclusive **protocols** **Description** 'tcp': tcp; 'udp': udp; 'sctp': sctp; **Type:** string **Supported Values:** tcp, udp, sctp **Mutual Exclusion:** protocols and service-any are mutually exclusive **range-dst-port** **Description** Port range (Starting Port Number) **Type:** number **Range:** 1-65535 **range-src-port** **Description** Port range (Starting Port Number) **Type:** number **Range:** 1-65535 **sctp-template** **Description** SCTP Template **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/template/sctp ` **special-code** **Description** 'any-code': Any ICMP code; 'frag-required': Code 4, fragmentation required; 'host-unreachable': Code 1, destination host unreachable; 'network-unreachable': Code 0, destination network unreachable; 'port-unreachable': Code 3, destination port unreachable; 'proto-unreachable': Code 2, destination protocol unreachable; 'route-failed': Code 5, source route failed; **Type:** string **Supported Values:** any-code, frag-required, host-unreachable, network-unreachable, port-unreachable, proto-unreachable, route-failed **Mutual Exclusion:** special-code and icmp-code are mutually exclusive **special-type** **Description** 'any-type': Any ICMP type; 'echo-reply': Type 0, echo reply; 'echo-request': Type 8, echo request; 'info-reply': Type 16, information reply; 'info-request': Type 15, information request; 'mask-reply': Type 18, address mask reply; 'mask-request': Type 17, address mask request; 'parameter-problem': Type 12, parameter problem; 'redirect': Type 5, redirect message; 'source-quench': Type 4, source quench; 'time-exceeded': Type 11, time exceeded; 'timestamp': Type 13, timestamp; 'timestamp-reply': Type 14, timestamp reply; 'dest-unreachable': Type 3, destination unreachable; **Type:** string **Supported Values:** any-type, echo-reply, echo-request, info-reply, info-request, mask-reply, mask-request, parameter-problem, redirect, source-quench, time-exceeded, timestamp, timestamp-reply, dest-unreachable **Mutual Exclusion:** special-type and icmp-type are mutually exclusive **special-v6-code** **Description** 'any-code': Any ICMPv6 code; 'addr-unreachable': Code 3, address unreachable; 'admin-prohibited': Code 1, admin prohibited; 'no-route': Code 0, no route to destination; 'not-neighbour': Code 2, not neighbor; 'port-unreachable': Code 4, destination port unreachable; **Type:** string **Supported Values:** any-code, addr-unreachable, admin-prohibited, no-route, not-neighbour, port-unreachable **Mutual Exclusion:** special-v6-code and icmpv6-code are mutually exclusive **special-v6-type** **Description** 'any-type': Any ICMPv6 type; 'dest-unreachable': Type 1, destination unreachable; 'echo-reply': Type 129, echo reply; 'echo-request': Type 128, echo request; 'packet-too-big': Type 2, packet too big; 'param-prob': Type 4, parameter problem; 'time-exceeded': Type 3, time exceeded; **Type:** string **Supported Values:** any-type, dest-unreachable, echo-reply, echo-request, packet-too-big, param-prob, time-exceeded **Mutual Exclusion:** special-v6-type and icmpv6-type are mutually exclusive .. _2588_rules-by-zone: rules-by-zone ^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **sampling-enable** **Type:** List **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _2588_rules-by-zone_sampling-enable: rules-by-zone_sampling-enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **counters1** **Description** 'all': all; 'dummy': Entry for a10countergen; **Type:** string **Supported Values:** all, dummy