Replace Firewall Rules operation
The Replace Firewall Rules operation enables you to overwrite all the rules in the specified firewall.
The following table describes the elements for the <items>
XML element and adapter request for the Replace Firewall Rules operation:
Elements for the <items>
XML element and adapter request for the Replace Firewall Rules operation
Element | Definition | Required |
---|---|---|
| Specifies the container that contains the zone | Yes |
| Specifies the name of the virtual firewall (VFW) | Conditional; required if |
| Specifies the name of the interface to which the access control list (ACL) is applied | Conditional; required if |
| Specifies whether the ACL is inbound | No |
| Specifies the unique zone name that identifies a VFW for legacy containers Note One or more VFWs exist within a container and not inside any zone. So the
| Conditional; required if |
| Specifies the address of the host, in dotted decimal format, which is the source or the destination in the rule that is to be overwritten
| No |
| Specifies the firewall rules that you want to replace or append | Yes |
| Contains the elements required to replace the rules in the specified firewall | Yes |
| Specifies the individual firewall rule information that you want to replace or append
| Yes |
| Specifies the description of the specified rule | No |
| Specifies the address of the destination host that is involved when blocking a particular host Note For "any" destination, specify 0.0.0.0 as the | Conditional; not required if you specify |
| Specifies the address of the destination subnet involved when blocking a range of hosts | Conditional; not required if you specify |
| Specifies the mask of the destination subnet involved when blocking a range of hosts | Conditional; not required if you specify |
| Specifies the destination port being blocked | No |
| Specifies whether the rule is enabled or disabled | No |
| Specifies whether the rule permits or denies the specified traffic | No |
| Specifies the address of the source involved when blocking a particular host | Conditional; not required if you specify |
| Specifies the address of the source subnet involved when blocking a range of hosts Note For "any" destination, specify 0.0.0.0 as the | Conditional; not required if you specify |
| Specifies the mask of the source subnet involved when blocking a range of hosts Note For "any" destination, specify 0.0.0.0 as the | Conditional; not required if you specify |
| Specifies the identifier for the transport protocol being blocked | No |
| Specifies a token that represents when the rules were last updated | Yes |
The following figure shows a sample <items>
XML element for the Replace Firewall Rules operation:
<items> XML element for the Replace Firewall Rules operation
<items>
<item>
<parameters>
<container-name>LargeGoldContainer1</container-name>
<fw-acl-selector-d-t-o>
<vfw-name>VFW</vfw-name>
<interface-name>inside</interface-name>
<zone-name></zone-name>
</fw-acl-selector-d-t-o>
<context-host-address>20.20.20.20</context-host-address>
<rules>
<rule-d-t-os>
<element>
<description>Rule to be updated</description>
<destination-host-address>1.1.1.5</destination-host-address>
<destination-port>2256</destination-port>
<enabled-flag>false</enabled-flag>
<permit-flag>false</permit-flag>
<source-host-address>1.1.1.89</source-host-address>
<transport-protocol>2</transport-protocol>
</element>
</rule-d-t-os>
<vfw-last-updated-token>832762361916829766</vfw-last-updated-token>
</rules>
</parameters>
</item>
</items>
The following figure shows a sample adapter request for the Replace Firewall Rules operation with the <destination-host-address>
element:
Sample adapter request for the Replace Firewall Rules operation with the <destination-host-address> element
<bmc-configuration-automation-networks-request>
<soap-url>https://global-4kzwgfd2:447</soap-url>
<user-name>sysadmin</user-name>
<password>bmcadmin</password>
<soap-version>1.1</soap-version>
<entity>security</entity>
<request>
<operation-name>replace-firewall-rules</operation-name>
<parameters>
<container-name>LargeGoldContainer1</container-name>
<fw-acl-selector-d-t-o>
<vfw-name>VFW</vfw-name>
<interface-name>inside</interface-name>
<zone-name></zone-name>
</fw-acl-selector-d-t-o>
<context-host-address>20.20.20.20</context-host-address>
<rules>
<rule-d-t-os>
<element>
<description>Rule to be updated</description>
<destination-host-address>1.1.1.5</destination-host-address>
<destination-port>2256</destination-port>
<enabled-flag>false</enabled-flag>
<permit-flag>false</permit-flag>
<source-host-address>1.1.1.89</source-host-address>
<transport-protocol>2</transport-protocol>
</element>
</rule-d-t-os>
<vfw-last-updated-token>832762361916829766</vfw-last-updated-token>
</rules>
</parameters>
</request>
</bmc-configuration-automation-networks-request>
The following figure shows a sample adapter request for the Replace Firewall Rules operation with the <destination-network-address>
and <destination-network-mask>
elements:
Sample adapter request for the Replace Firewall Rules operation with the <destination-network-address> and <destination-network-mask> elements
<bmc-configuration-automation-networks-request>
<soap-url>https://global-4kzwgfd2:447</soap-url>
<user-name>sysadmin</user-name>
<password>bmcadmin</password>
<soap-version>1.1</soap-version>
<entity>security</entity>
<request>
<operation-name>replace-firewall-rules</operation-name>
<parameters>
<container-name>LargeGoldContainer1</container-name>
<fw-acl-selector-d-t-o>
<vfw-name>VFW</vfw-name>
<interface-name>inside</interface-name>
<zone-name></zone-name>
</fw-acl-selector-d-t-o>
<context-host-address>20.20.20.20</context-host-address>
<rules>
<rule-d-t-os>
<element>
<description>Rule to be updated</description>
<destination-network-address>1.1.1.6</destination-network-address>
<destination-network-mask>255.255.255.252</destination-network-mask>
<destination-port>2256</destination-port>
<enabled-flag>false</enabled-flag>
<permit-flag>false</permit-flag>
<source-network-address>1.1.5.9</source-network-address>
<source-network-mask>255.255.255.248</source-network-mask>
<transport-protocol>2</transport-protocol>
</element>
</rule-d-t-os>
<vfw-last-updated-token>832762361916829766</vfw-last-updated-token>
</rules>
</parameters>
</request>
</bmc-configuration-automation-networks-request>
The following figure illustrates the adapter response for the sample Replace Firewall Rules operation when execution is successful:
Adapter response for the Replace Firewall Rules operation when execution is successful
<bmc-configuration-automation-networks-response>
<metadata>
<status>success</status>
</metadata>
<parameters />
</bmc-configuration-automation-networks-response>
The following table describes the response element for the Replace Firewall Rules operation when execution is successful:
Response element for the Replace Firewall Rules operation when execution is successful
Element | Definition |
---|---|
| Is empty when the operation is executed successfully |
The following figure illustrates the adapter response for the sample Replace Firewall Rules operation when execution fails:
Adapter response for the Replace Firewall Rules operation when execution fails
<bmc-configuration-automation-networks-response>
<metadata>
<status>success</status>
</metadata>
<parameters>
<output>
<metadata>
<status>error</status>
<error>Error occurred processing request data Summary: Failed to
call a web service.
Caused by:
Summary: Input contains invalid rules: The firewall rule destination
network address should not be populated when destination host address
is populated. The firewall rule destination network mask should not
be populated when destination host address is populated. The firewall
rule source network address should not be populated when source host
address is populated. The firewall rule source network mask should
not be populated when source host address is populated.
</error>
</metadata>
</output>
</parameters>
</bmc-configuration-automation-networks-response>
The following table describes the response elements for the Replace Firewall Rules operation when execution fails:
Response elements for the Replace Firewall Rules operation when execution fails
Element | Definition |
---|---|
| Contains the child elements |
| Contains metadata information |
| Contains the status of the execution |
| Contains the error message |
Comments
Log in or register to comment.