Replace Firewall Rules operation

The Replace Firewall Rules operation enables you to overwrite all the rules in the specified firewall.

The following table describes the elements for the <items> XML element and adapter request for the Replace Firewall Rules operation:

Elements for the <items> XML element and adapter request for the Replace Firewall Rules operation

Element	Definition	Required
`<container-name>`	Specifies the container that contains the zone	Yes
`<vfw-name>`	Specifies the name of the virtual firewall (VFW) Valid value: Any string	Conditional; required if `<zone-name>` is not specified
`<interface-name>`	Specifies the name of the interface to which the access control list (ACL) is applied Valid value: Any string	Conditional; required if `<zone-name>` is not specified
`<inbound-acl-flag>`	Specifies whether the ACL is inbound Valid values: true, false (default)	No
`<zone-name>`	Specifies the unique zone name that identifies a VFW for legacy containers Note One or more VFWs exist within a container and not inside any zone. So the `<zone-name>` is not applicable in version 8.2 of BMC Network Automation. `<zone-name>` exists for legacy reasons only. Valid value: Any string	Conditional; required if `<vfw-name>` and `<interface-name>` are not specified
`<context-host-address>`	Specifies the address of the host, in dotted decimal format, which is the source or the destination in the rule that is to be overwritten If `<context-host-address>` is not specified or contains an empty value, all existing rules are replaced. If `<context-host-address>` is not empty, only those rules with a matching `<source-host-address>` or `<destination-host-address>` are replaced.	No
`<rules>`	Specifies the firewall rules that you want to replace or append	Yes
`<rule-d-t-os>`	Contains the elements required to replace the rules in the specified firewall	Yes
`<element>`	Specifies the individual firewall rule information that you want to replace or append The `<element>` element contains the following child elements: `<description>` `<destination-host-address>` `<destination-network-address>` `<destination-network-mask>` `<destination-port>` `<enabled-flag>` `<permit-flag>` `<source-host-address>` `<source-network-address>` `<source-network-mask>` `<transport-protocol>`	Yes
`<description>`	Specifies the description of the specified rule	No
`<destination-host-address>`	Specifies the address of the destination host that is involved when blocking a particular host Note For "any" destination, specify 0.0.0.0 as the `<destination-network-address>` and 0.0.0.0 as the `<destination-network-mask>`.	Conditional; not required if you specify `<destination-network-address>` and `<destination-network-mask>`
`<destination-network-address>`	Specifies the address of the destination subnet involved when blocking a range of hosts	Conditional; not required if you specify `<destination-host-address>`
`<destination-network-mask>`	Specifies the mask of the destination subnet involved when blocking a range of hosts	Conditional; not required if you specify `<destination-host-address>`
`<destination-port>`	Specifies the destination port being blocked	No
`<enabled-flag>`	Specifies whether the rule is enabled or disabled Valid values: true, false (default)	No
`<permit-flag>`	Specifies whether the rule permits or denies the specified traffic Valid values: true, false (default)	No
`<source-host-address>`	Specifies the address of the source involved when blocking a particular host `<source-host-address>` can be a computer name, such as java.sun.com, or a textual representation of its IP address in dotted decimal format, such as 192.9.162.55. Address strings returned by the BMC Network Automation application are always in dotted decimal format.	Conditional; not required if you specify `<source-network-address>` and `<source-network-mask>`
`<source-network-address>`	Specifies the address of the source subnet involved when blocking a range of hosts `<source-network-address>` can be a computer name, such as java.sun.com, or a textual representation of its IP address in dotted decimal format, such as 192.9.162.55. Address strings returned by the BMC Network Automation application are always in dotted decimal format. Note For "any" destination, specify 0.0.0.0 as the `<destination-network-address>` and 0.0.0.0 as the `<destination-network-mask>`.	Conditional; not required if you specify `<source-host-address>`
`<source-network-mask>`	Specifies the mask of the source subnet involved when blocking a range of hosts Note For "any" destination, specify 0.0.0.0 as the `<destination-network-address>` and 0.0.0.0 as the `<destination-network-mask>`.	Conditional; not required if you specify `<source-host-address>`
`<transport-protocol>`	Specifies the identifier for the transport protocol being blocked	No
`<vfw-last-updated-token>`	Specifies a token that represents when the rules were last updated Valid value: Any positive integer	Yes

The following figure shows a sample <items> XML element for the Replace Firewall Rules operation:

<items> XML element for the Replace Firewall Rules operation

<items>
  <item>
    <parameters>
      <container-name>LargeGoldContainer1</container-name>
            <fw-acl-selector-d-t-o>
                <vfw-name>VFW</vfw-name>
                <interface-name>inside</interface-name>
                <zone-name></zone-name>
            </fw-acl-selector-d-t-o>
            <context-host-address>20.20.20.20</context-host-address>
            <rules>
                <rule-d-t-os>
                    <element>
                        <description>Rule to be updated</description>
                        <destination-host-address>1.1.1.5</destination-host-address>
                        <destination-port>2256</destination-port>
                        <enabled-flag>false</enabled-flag>
                        <permit-flag>false</permit-flag>
                        <source-host-address>1.1.1.89</source-host-address>
                        <transport-protocol>2</transport-protocol>
                    </element>
                </rule-d-t-os>
                <vfw-last-updated-token>832762361916829766</vfw-last-updated-token>
            </rules>
    </parameters>
  </item>
</items>

The following figure shows a sample adapter request for the Replace Firewall Rules operation with the <destination-host-address> element:

Sample adapter request for the Replace Firewall Rules operation with the <destination-host-address> element

<bmc-configuration-automation-networks-request>
    <soap-url>https://global-4kzwgfd2:447</soap-url>
    <user-name>sysadmin</user-name>
    <password>bmcadmin</password>
    <soap-version>1.1</soap-version>
    <entity>security</entity>
    <request>
        <operation-name>replace-firewall-rules</operation-name>
        <parameters>
            <container-name>LargeGoldContainer1</container-name>
            <fw-acl-selector-d-t-o>
                <vfw-name>VFW</vfw-name>
                <interface-name>inside</interface-name>
                <zone-name></zone-name>
            </fw-acl-selector-d-t-o>
            <context-host-address>20.20.20.20</context-host-address>
            <rules>
                <rule-d-t-os>
                    <element>
                        <description>Rule to be updated</description>
                        <destination-host-address>1.1.1.5</destination-host-address>
                        <destination-port>2256</destination-port>
                        <enabled-flag>false</enabled-flag>
                        <permit-flag>false</permit-flag>
                        <source-host-address>1.1.1.89</source-host-address>
                        <transport-protocol>2</transport-protocol>
                    </element>
                </rule-d-t-os>
                <vfw-last-updated-token>832762361916829766</vfw-last-updated-token>
            </rules>
        </parameters>
    </request>
</bmc-configuration-automation-networks-request>

The following figure shows a sample adapter request for the Replace Firewall Rules operation with the <destination-network-address> and <destination-network-mask> elements:

Sample adapter request for the Replace Firewall Rules operation with the <destination-network-address> and <destination-network-mask> elements

<bmc-configuration-automation-networks-request>
    <soap-url>https://global-4kzwgfd2:447</soap-url>
    <user-name>sysadmin</user-name>
    <password>bmcadmin</password>
    <soap-version>1.1</soap-version>
    <entity>security</entity>
    <request>
        <operation-name>replace-firewall-rules</operation-name>
        <parameters>
            <container-name>LargeGoldContainer1</container-name>
            <fw-acl-selector-d-t-o>
                <vfw-name>VFW</vfw-name>
                <interface-name>inside</interface-name>
                <zone-name></zone-name>
            </fw-acl-selector-d-t-o>
            <context-host-address>20.20.20.20</context-host-address>
            <rules>
                <rule-d-t-os>
                    <element>
                        <description>Rule to be updated</description>
                        <destination-network-address>1.1.1.6</destination-network-address>
                        <destination-network-mask>255.255.255.252</destination-network-mask>
                        <destination-port>2256</destination-port>
                        <enabled-flag>false</enabled-flag>
                        <permit-flag>false</permit-flag>
                        <source-network-address>1.1.5.9</source-network-address>
                        <source-network-mask>255.255.255.248</source-network-mask>
                        <transport-protocol>2</transport-protocol>
                    </element>
                </rule-d-t-os>
                <vfw-last-updated-token>832762361916829766</vfw-last-updated-token>
            </rules>
        </parameters>
    </request>
</bmc-configuration-automation-networks-request>

The following figure illustrates the adapter response for the sample Replace Firewall Rules operation when execution is successful:

Adapter response for the Replace Firewall Rules operation when execution is successful

<bmc-configuration-automation-networks-response>
  <metadata>
    <status>success</status>
  </metadata>
 <parameters />
</bmc-configuration-automation-networks-response>

The following table describes the response element for the Replace Firewall Rules operation when execution is successful:

Response element for the Replace Firewall Rules operation when execution is successful

Element	Definition
`<parameters>`	Is empty when the operation is executed successfully

The following figure illustrates the adapter response for the sample Replace Firewall Rules operation when execution fails:

Adapter response for the Replace Firewall Rules operation when execution fails

<bmc-configuration-automation-networks-response>
  <metadata>
    <status>success</status>
  </metadata>
  <parameters>
    <output>
      <metadata>
        <status>error</status>
        <error>Error occurred processing request data   Summary: Failed to
 call a web service.

 Caused by:
   Summary: Input contains invalid rules: The firewall rule destination
 network address should not be populated when destination host address
 is populated. The firewall rule destination network mask should not
 be populated when destination host address is populated. The firewall
 rule source network address should not be populated when source host
 address is populated. The firewall rule source network mask should
 not be populated when source host address is populated.
</error>
      </metadata>
    </output>
  </parameters>
</bmc-configuration-automation-networks-response>

The following table describes the response elements for the Replace Firewall Rules operation when execution fails:

Response elements for the Replace Firewall Rules operation when execution fails

Element	Definition
`<parameters>`	Contains the child elements
`<output>`	Contains metadata information
`<status>`	Contains the status of the execution The value of `<status>` is `error` in this case.
`<error>`	Contains the error message

Replace Firewall Rules operation

Comments