Get a list of permissive rules
Get a list of tighten permissive rules (permissive rules that should be refined) for a specified device. If the device has child devices, tighten permissive rules for them will also be included in the response. Tighten permissive rules information is available for the latest report.
This method is found in the AFA/Policy_Optimization definition in the swagger.
For information about tighten permissive rules, see Intelligent Policy Tuner.
Note: This method can be used only for reports successfully analyzed in A32.60 and above.
Note: To see the list of tighten permissive rules, you need to do the following:
-
Activate the log analysis on the device. To do this:
-
log in to the AFA web interface, go to Administration>Devices and edit the settings of the device.
-
Select the Collect logs checkbox, and define your log server credentials.
-
-
Make sure that there is a successful analysis for the device.
Resource name: /api/v1/rules/tightenPermissive/{entityTreeName}
Request Method: GET
Request parameters:
| Parameter | Data Type | Description |
|---|---|---|
| entityTreeName
mandatory |
string |
Tree name of the device. (To get the entity name for a device or group (including user-defined groups), see Device names in the ASMS APIs |
| includeAllRuleInfo | boolean |
|
| pageNumber | integer (int32) | The page number to include in the response. Default value : 0 (Value 0 means first page). |
| pageSize | integer (int32) | The number of rulesto include on each page in the response. Default value : 50. |
Request example:
curl -X 'GET' \ 'https://<localhost>/ms-policy-optimizations/api/v1/rules/tightenPermissive/10_20_30_40?includeAllRuleInfo=true&pageNumber=0&pageSize=50' \ -H 'accept: */*'
Status codes:
| Code | Description |
|---|---|
| 200 | OK |
| 400 | Bad Request |
| 401 | Authentication failure |
Response parameters:
| Name | Data Type | Description |
|---|---|---|
| totalPages | Number | The total number of pages. |
| totalElements | Number | The total number of elements. |
| pageNumber | Number | The current page number. |
| pageSize | Number | The number of elements per page. |
| tightenDevicePermissiveRules | Array | An array of objects representing permissive rules for the device. |
| deviceTreeName | String | The name of the device tree. |
| tightenPermissiveRules | Array | An array of objects representing permissive rules for tightening. |
| ruleData | Object | An object containing data for the permissive rule. |
| ruleId | String | The ID of the rule. |
| ruleNumber | String | The number of the rule. |
| ruleName | String | The name of the rule. |
| sources | Array | An array of source addresses. |
| destinations | Array | An array of destination addresses. |
| services | Array | An array of services. |
| applications | Array | An array of applications. |
| action | String | The action to be taken for the rule. |
| comment | String | Additional comments for the rule. |
| isEnabled | String | Indicates whether the rule is enabled or disabled. |
| sectionHeader | String | The section header of the rule. |
| global | String | The global setting for the rule. |
| log | String | The log setting for the rule. |
| install | String | The install setting for the rule. |
| count | Number | The count of the permissive rule. |
| percentage | String | The percentage of the permissive rule. |
| lastUse | String | The date and time of the last use of the permissive rule. |
| tightenPermissiveRuleRecommendations | Array | An array of objects representing recommendations for tightening permissive rules. |
| fieldType | String | The type of field the recommendation applies to (source, destination, or service). |
| name | String | The name of the recommendation. |
| definition | Array | An array of definitions for the recommendation. |
| recommendationOperation | String | The operation to be performed for the recommendation. |
| trafficBreakdown | Array | An array of objects representing traffic breakdown information. |
| fieldType | String | The type of field (source, destination, or service). |
| definition | String | The definition of the field. |
| name | String | The name of the field. |
| density | String | The density of the field. |
| densityMeaning | String | The meaning of the field density. |
| unused | Array | An array of unused values for the field. |
| usage | Array | An array of usage information for the field. |
| metadata | Object | An object containing metadata information. |
| reportName | String | The name of the report. |
| deviceName | String | The name of the device. |
| calculationTime | String | The date and time of the calculation. |
| startDate | String | The start date of the log |
| endDate | String | The end date of the log data. |
| totalLogDays | Number | The total number of log days. |
| daysWithLogs | Number | The number of days with logs. |
| daysWithoutLogs | Number | The number of days without logs. |
| datesWithoutLog | Array | An array of dates without log data. |
| policy | String | The policy name. |
Response example (success 200):
{
"totalPages": 1,
"totalElements": 5,
"pageNumber": 0,
"pageSize": 50,
"tightenDevicePermissiveRules": [
{
"deviceTreeName": "GW_Lucario",
"tightenPermissiveRules": [
{
"ruleData": {
"ruleId": "E5EEF1DD-4659-460A-9CF2-404D8C558F8C",
"ruleNumber": "1",
"ruleName": "DO NOT TOUCH!!",
"sources": [
"net_10.20.x.x"
],
"destinations": [
"GW-Lucario"
],
"services": [
"Any"
],
"applications": [],
"action": "Accept",
"comment": "",
"isEnabled": "Enabled",
"sectionHeader": "",
"global": "middle",
"log": "Log",
"install": "Policy Targets",
"ruleData": {
"layer type": [
{
"value": "Ordered",
"icon": null
}
],
"global": [
{
"value": "middle",
"icon": null
}
],
"content": [
{
"value": "Any",
"icon": null
}
],
"rule position": [
{
"value": "1",
"icon": null
}
],
"layer name": [
{
"value": "Network",
"icon": null
}
],
"parent rule uid": [
{
"value": "",
"icon": null
}
],
"is last rule": [
{
"value": "false",
"icon": null
}
],
"original rule uid": [
{
"value": "E5EEF1DD-4659-460A-9CF2-404D8C558F8C",
"icon": null
}
],
"ordered layer index": [
{
"value": "1",
"icon": null
}
],
"is parent rule": [
{
"value": "false",
"icon": null
}
],
"layer uid": [
{
"value": "63b7fe60-76d2-4287-bca5-21af87337b0a",
"icon": null
}
],
"layer identifier": [
{
"value": "63b7fe60-76d2-4287-bca5-21af87337b0a",
"icon": null
}
],
"install": [
{
"value": "Policy Targets",
"icon": null
}
],
"vpn": [
{
"value": "Any",
"icon": null
}
],
"name": [
{
"value": "DO NOT TOUCH!!",
"icon": null
}
],
"time": [
{
"value": "Any",
"icon": null
}
],
"section_header": [
{
"value": "",
"icon": null
}
]
}
},
"count": 244,
"percentage": "0.024%",
"lastUse": "2023-06-08 12:00",
"tightenPermissiveRuleRecommendations": [
{
"fieldType": "dst",
"name": "New_Object_2",
"definition": [
"10.20.150.96/32"
],
"recommendationOperation": "create a new object and replace"
},
{
"fieldType": "srv",
"name": "New_Service_1",
"definition": [
"tcp/22"
],
"recommendationOperation": "create a new object and replace"
},
{
"fieldType": "src",
"name": "New_Object_1",
"definition": [
"10.20.4.0/24",
"10.20.202.0/24"
],
"recommendationOperation": "create a new object and replace"
}
],
"trafficBreakdown": [
{
"fieldType": "src",
"definition": "NETWORK_OBJECT",
"name": "net_10.20.x.x",
"density": "0.78",
"densityMeaning": "Sparse",
"unused": [
"10.20.0.0 - 10.20.3.255",
"10.20.5.0 - 10.20.201.255",
"10.20.203.0 - 10.20.255.255"
],
"usage": [
{
"name": "10.20.202.0-10.20.202.255",
"count": 89,
"date": "2023-06-07 12:00",
"percentage": "36.48"
},
{
"name": "10.20.4.0-10.20.4.255",
"count": 155,
"date": "2023-06-08 12:00",
"percentage": "63.52"
}
]
},
{
"fieldType": "srv",
"definition": "SERVICE",
"name": "Any",
"density": "<0.01",
"densityMeaning": "Sparse",
"unused": [
"103/0-65535",
"109/0-65535",
"opaque_10/0-65535",
"opaque_11/0-65535",
"opaque_12/0-65535",
"opaque_13/0-65535",
"opaque_37/0-65535",
"opaque_38/0-65535",
"opaque_39/0-65535",
"opaque_4/0-65535",
"opaque_40/0-65535",
"opaque_41/0-65535",
"opaque_42/0-65535",
"opaque_43/0-65535",
"opaque_44/0-65535",
"opaque_45/0-65535",
"opaque_46/0-65535",
"opaque_65/0-65535",
"opaque_66/0-65535",
"opaque_67/0-65535",
"opaque_68/0-65535",
"opaque_69/0-65535",
"opaque_7/0-65535",
"opaque_70/0-65535",
"opaque_71/0-65535",
"opaque_8/0-65535",
"opaque_9/0-65535",
"tcp/0-21",
"tcp/23-65535",
"udp/0-65535"
],
"usage": [
{
"name": "tcp:*:22",
"count": 244,
"date": "2023-06-08 12:00",
"percentage": "100"
}
]
},
{
"fieldType": "dst",
"definition": "NETWORK_OBJECT",
"name": "GW-Lucario",
"density": "50",
"densityMeaning": "Sparse",
"unused": [
"10.40.150.96"
],
"usage": [
{
"name": "10.20.150.96",
"count": 244,
"date": "2023-06-08 12:00",
"percentage": "100"
}
]
}
]
},
"metadata": {
"reportName": "afa-33063",
"deviceName": "GW_Lucario",
"calculationTime": "2023-06-08 01:38",
"startDate": "2023-02-27 12:00",
"endDate": "2023-06-08 12:00",
"totalLogDays": 100,
"daysWithLogs": 99,
"daysWithoutLogs": 1,
"datesWithoutLog": [
"28Feb2023"
],
"policy": "Standard.W"
}
}
]
}
Response example (failure 401):
{
"timestamp": 1686658495558,
"status": 401,
"error": "Unauthorized",
"path": "/api/v1/rules/tightenPermissive/GW_Lucario"
}
Clear your browser's cache