Core resources

core

Comment

Represents a comment from a user.

Attributes

Type: []string
The claims of the author.
Type: string
The content of the comment.
Type: time
The date of the comment.

DiscoveryMode

(Deprecated) When discovery mode is enabled, all flows are accepted. Flows which do not match an existing network policy will be represented by a dotted line in your Platform view.

Example

{ "propagate": false }

Relations

(Deprecated) Returns the list of discovery modes.
(Deprecated) Deploy the discovery mode assets onto the specified namespace.
(Deprecated) Remove the discovery mode assets with the given import reference ID.
(Deprecated) Retrieve the discovery mode with the given import reference ID.

Attributes

Type: string
Identifier of the object.
Type: string
Namespace tag attached to an entity.
Type: boolean
Propagates the policy to all of its children.

Export

Allows you to obtain a JSON object containing policies and other objects from a given namespace. You can then import this JSON object into a different namespace.

Example

{ "identities": [ "externalnetworks", "networkaccesspolicies" ], "label": "my-import-name" }

Relations

Exports all policies and related objects of a namespace.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.

Attributes

Type: integer
Version of the Microsegmentation Console API used for the exported data.
List of all exported data.
Type: []string
The list of identities to export.
Type: string
Allows you to define a unique label for this export. When importing the content of the export, this label will be added as a tag that will be used to recognize imported object in a later import.

Hit

This API allows to retrieve a generic hit counter for a given object.

Example

{ "name": "counter", "targetIdentity": "networkaccesspolicy" }

Relations

Retrieve a matching hit.
Parameters:
Mandatory Parameters
Manage hits.
Parameters:

Attributes

Type: string
name of the counter.
Default value:
"counter"
Type: string
The ID of the referenced object..
Type: string
The identity of the referenced object.
Type: integer
The value of the hit.

Import

Imports an export of policies and related objects into the namespace.

Example

{ "data": { "externalnetworks": [ { "associatedTags": [ "ext:net=tcp" ], "description": "Represents all TCP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-tcp", "servicePorts": [ "tcp/1:65535" ] }, { "associatedTags": [ "ext:net=udp" ], "description": "Represents all UDP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-udp", "servicePorts": [ "udp/1:65535" ] } ], "networkaccesspolicies": [ { "action": "Allow", "description": "Allows all communication from pu to pu, tcp and udp", "logsEnabled": true, "name": "allow-all-communication", "object": [ [ "$identity=processingunit" ], [ "ext:net=tcp" ], [ "ext:net=udp" ] ], "subject": [ [ "$identity=processingunit" ] ] } ] }, "mode": "Import" }

Relations

Imports data from a previous export.

Attributes

Type: export
Data to import.
How to import the data: ReplacePartial, Import (default), or Remove. ReplacePartial is deprecated. Use Import instead. While you can use ReplacePartial it will be interpreted as Import.
Default value:
"Import"

ImportReference

Allows you to import and keep a reference.

Example

{ "constraint": "Unrestricted", "data": { "externalnetworks": [ { "associatedTags": [ "ext:net=tcp" ], "description": "Represents all TCP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-tcp", "servicePorts": [ "tcp/1:65535" ] }, { "associatedTags": [ "ext:net=udp" ], "description": "Represents all UDP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-udp", "servicePorts": [ "udp/1:65535" ] } ], "networkaccesspolicies": [ { "action": "Allow", "description": "Allows all communication from pu to pu, tcp and udp", "logsEnabled": true, "name": "allow-all-communication", "object": [ [ "$identity=processingunit" ], [ "ext:net=tcp" ], [ "ext:net=udp" ] ], "subject": [ [ "$identity=processingunit" ] ] } ] }, "name": "the name", "protected": false }

Relations

Retrieves the list of import references.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Imports data from a previous export and keep a reference.
Deletes the object with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.
Returns the list of import references that depend on a recipe.
Create an import request for the given recipe.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: []string
Contains the claims of the client that performed the import.
Define the import constraint. If Unrestricted, import can be deployed multiple times. If Unique, only one import is allowed in the current namespace and its child namespaces. If NamespaceUnique, only one import is allowed in the current namespace.
Default value:
"Unrestricted"
Type: time
Creation date of the object.
Type: export
Data to import.
Type: string
Description of the object.
Type: string
Label used for the imported data.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Defines if the object is protected.
Type: time
Last update date of the object.

ImportRequest

Allows you to send an import request to create objects to a namespace where the requester doesn’t normally have the permission to do so (other than creating import requests).
The requester must have the permission to create the request in their namespace and the target namespace.
When the request is created, the status is set to Draft. The requester can edit the content as much as desired. When ready to send the request, update the status to Submitted. The request will then be moved to the target namespace. At that point nobody can edit the content of the requests other than adding comments.
The requestee will now see the request, and will either
  • Set the status as Approved. This will create the objects in the target namespace.
  • Set the status as Rejected. The request cannot be edited anymore and can be deleted.
  • Set the status back as Draft. The request will go back to the requester namespace so that the requester can make changes. Once the change are ready, the requester will set back the status as Submitted.
The data format is the same as Export.

Example

{ "data": { "networkaccesspolicies": [ { "action": "Allow", "description": "Allows Acme to access service A", "logsEnabled": true, "name": "allow-acme", "object": [ [ "$identity=processingunit", "$namespace=/acme/prod", "app=query" ] ], "subject": [ [ "$identity=processingunit", "app=partner-data" ] ] } ] }, "protected": false, "requesterClaims": [ "@auth:realm=vince", "@auth:account=acme" ], "status": "Draft", "targetNamespace": "/acme/prod" }

Relations

Retrieves the list of import requests.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new import request.
Delete an existing import request.
Retrieve a single existing import request.
Update an existing import request.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
A new comment that will be added to commentFeed.
Type: []comment
List of comments that have been added to that request.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Defines if the object is protected.
Type: []string
The identity claims of the requester; populated by the Microsegmentation Console.
Type: string
The namespace from which the request originated; populated by the Microsegmentation Console.
Allows the content to be changed. Submitted: the request moves to the target namespace for approval. Approved: the data will be created immediately. Rejected: the request cannot be changed anymore and can be deleted.
Default value:
"Draft"
Type: string
The namespace where the request will be sent. The requester can set any namespace but needs to have an authorization to post the request in that namespace.
Type: time
Last update date of the object.

Poke

When available, poke can be used to update various information about the parent. For instance, for enforcers, poke will be used as the heartbeat.

Relations

Sends a poke empty object. This is used to ensure a enforcer is up and running.
Parameters:
Sends a poke empty object. This will send a snapshot of the processing unit to the time series database.
Parameters:

PolicyRenderer

Allows you to render policies of a given type for a given set of tags.

Example

{ "processMode": "Subject", "tags": [ "a=a", "b=b" ], "type": "APIAuthorization" }

Relations

Render a policy of a given type for a given set of tags.

Attributes

List of policies rendered for the given set of tags.
Subject (default): Set if the processMode should use the subject. Object: Set if the processMode should use the object. This only has effect when rendering an SSH authorization for now.
Default value:
"Subject"
Type: []string
List of tags of the object to render the hook for.

core/accessiblenamespace

AccessibleNamespace

An Accessible Namespace represents a namespace that can be accessed by a given user.

Example

{ "ID": "123-4343-54343" }

Relations

Retrieves the list of accessible namespaces.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.

Attributes

Type: string
Identifier of the namespace that is accessible.
Type: string
Name of the namespace that is accessible.
Type: string
Namespace tag attached to an entity.

core/account

Account

Allows you to view and manage basic information about your account like your name, password, and whether or not two-factor authentication is enabled.

Example

{ "OTPEnabled": false, "SSHCARenew": false, "accessEnabled": false, "company": "Acme", "email": "user@acme.com", "firstName": "John", "lastName": "Doe", "localCARenew": false, "name": "acme" }

Relations

Retrieves all accounts. This is a private API that can only be done by the system.
Parameters:
Creates a new account.
Deletes the object with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.
Updates the object with the given ID.

Attributes

Type: string
Identifier of the object.
Type: boolean
Enable or disable two-factor authentication.
Type: string
Returns the base64-encoded QR code for setting up two-factor authentication.
Type: string
Holds the SSH certificate authority used by the account namespace.
Type: boolean
Set to true to renew the SSH certificate authority of the account namespace.
Type: boolean
Defines if the account holder should have access to the system.
Type: string
Contains the activation token.
Type: string
Holds the ID of the associated billing customer.
Type: string
Contains the plan key associated with this account.
Type: string
Company of the account user.
Type: time
Creation date of the object.
Type: string
Email of the account holder.
Type: string
First name of the account user.
Type: string
Last name of the account user.
Type: string
The certificate authority used by this namespace.
Type: boolean
Set to true to renew the local certificate authority of the account namespace.
Type: string
Name of the account.
Type: string
New password for the account. If set the previous password must be given through the property password.
Type: string
Password for the account.
Type: string
Contains the completely automated public Turing test (CAPTCHA) validation if reCAPTCHA is enabled.
Status of the account.
Default value:
"Pending"
Type: time
Last update date of the object.

Activate

Used to activate a pending account.

Example

{ "token": "2BB3D52C-DE26-406A-8821-613F102282B0" }

Relations

Activates a pending account.
Parameters:
Mandatory Parameters

Attributes

Type: string
Contains the activation token.

PasswordReset

Used to reset a Microsegmentation account password.

Example

{ "password": "NewPassword123@", "token": "436676D4-7ECA-4853-A572-0644EE9D89EF" }

Relations

Sends a link to the account email to reset the password.
Parameters:
Mandatory Parameters
Resets the password for an account using the provided link.

Attributes

Type: string
Contains the new password.
Type: string
Contains the reset password token.

core/authentication

Authn

Verifies if the given token is valid or not. If it is valid it will return the claims of the token.

Relations

Verify the validity of a token. This is deprecated. You should use Create.
Parameters:
Verify the validity of a token.

Attributes

Type: _claims
The claims in the token.
Type: string
The token to verify. This is only used if a POST request is used.

Issue

Issues a new Microsegmentation token according to given data.

Example

{ "audience": "aud:*:*:/namespace", "metadata": { "vinceAccount": "acme", "vinceOTP": 665435, "vincePassword": "s3cr3t" }, "realm": "Vince", "restrictedNamespace": "/namespace", "restrictedNetworks": [ "10.0.0.0/8", "127.0.0.1/32" ], "restrictedPermissions": [ "@auth:role=enforcer", "namespace,post" ], "validity": "24h" }

Relations

Issues a new token.
Parameters:
  • asCookie (boolean): If set to true, the token will be delivered in a secure cookie, and not in the response body.
  • token (string): Token to verify.

Attributes

Type: string
If given, the issued token will only be valid for the specified namespace. Refer to JSON Web Token (JWT)RFC 7519. for further information.
Type: _claims
The claims in the token. It is only set is the parameter asCookie is given.
Type: string
Contains additional data. The value depends on the issuer type.
Contains various additional information. Meaning depends on the realm.
Opaque data that will be included in the issued token.
Type: integer
Restricts the number of times the issued token can be used.
The authentication realm. This will define how to verify credentials from internal or external source of authentication.
Type: string
Restricts the namespace where the token can be used.
For instance, if you have have access to /namespace and below, you can tell the policy engine that it should restrict further more to /namespace/child.
Restricting to a namespace you don’t have initially access according to the policy engine has no effect and may end up making the token unusable.
Type: []string
Restricts the networks from where the token can be used. This will reduce the existing set of authorized networks that normally apply to the token according to the policy engine.
For instance, If you have authorized access from 0.0.0.0/0 (by default) or from 10.0.0.0/8, you can ask for a token that will only be valid if used from 10.1.0.0/16.
Restricting to a network that is not initially authorized by the policy engine has no effect and may end up making the token unusable.
Type: []string
Restricts the permissions of token. This will reduce the existing permissions that normally apply to the token according to the policy engine.
For instance, if you have administrative role, you can ask for a token that will tell the policy engine to reduce the permission it would have granted to what is given defined in the token.
Restricting to some permissions you don’t initially have according to the policy engine has no effect and may end up making the token unusable.
Type: string
The token to use for the registration.
Type: string
Configures the maximum length of validity for a token, using Golang duration syntax. If it is bigger than the configured max validity, it will be capped. Default: 24h.
Default value:
"24h"

LDAPProvider

Allows you to declare a generic LDAP provider that can be used in exchange for a Midgard token.

Example

{ "address": "ldap.company.com", "baseDN": "dc=universe,dc=io", "bindDN": "cn=readonly,dc=universe,dc=io", "bindPassword": "s3cr3t", "bindSearchFilter": "uid={USERNAME}", "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBPzCB5qADAgECAhEAwbx3c+QW24ePXyD94geytzAKBggqhkjOPQQDAjAPMQ0w CwYDVQQDEwR0b3RvMB4XDTE5MDIyMjIzNDA1MFoXDTI4MTIzMTIzNDA1MFowDzEN MAsGA1UEAxMEdG90bzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJi6CwRDeKks Xb3pDEslmFGR7k9Aeh5RK+XmdqKKPGb3NQWEFPGolnqOR34iVuf7KSxTuzaaVWfu XEa94faUQEqjIzAhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MAoG CCqGSM49BAMCA0gAMEUCIQD+nL9RF9EvQXHyYuJ31Lz9yWd9hsK91stnpAs890gS /AIgQIKjBBpiyQNZZWso5H04qke9QYMVPegiQQufFFBj32c= -----END CERTIFICATE-----", "connSecurityProtocol": "InbandTLS", "default": false, "name": "the name", "protected": false, "subjectKey": "uid" }

Relations

Retrieves the list of the namespace LDAP providers.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new LDAP provider.
Deletes the provider with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the provider with the given ID.
Updates the provider with the given ID.

Attributes

Type: string
Identifier of the object.
Type: string
Contains the fully qualified domain name (FQDN) or IP address of the private LDAP server.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
Contains the base distinguished name (DN) to use for LDAP queries. Example: dc=example,dc=com.
Type: string
Contains the DN to use to bind to the LDAP server. Example: cn=admin,dc=example,dc=com.
Type: string
Contains the password to be used with the bindDN to authenticate to the LDAP server.
Type: string
The filter to use to locate the relevant user accounts. For Windows-based systems, the value may be sAMAccountName={USERNAME}. For Linux and other systems, the value may be uid={USERNAME}.
Default value:
"uid={USERNAME}"
Type: string
Can be left empty if the LDAP server’s certificate is signed by a public, trusted certificate authority. Otherwise, include the public key of the certificate authority that signed the LDAP server’s certificate.
Specifies the connection type for the LDAP provider. TLS or InbandTLS (default).
Default value:
"InbandTLS"
Type: time
Creation date of the object.
Type: boolean
If set, this will be the default LDAP provider. There can be only one default provider in your account. When logging in with LDAP, if no provider name is given, the default will be used.
Type: string
Description of the object.
Type: []string
A list of keys that must not be imported into a Microsegmentation authorization. If includedKeys is also set, and a key is in both lists, the key will be ignored.
Type: []string
A list of keys that must be imported into a Microsegmentation authorization. If ignoredKeys is also set, and a key is in both lists, the key will be ignored.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Defines if the object is protected.
Type: string
The key to be used to populate the subject of the Midgard token. If you want to use the user as a subject, for Windows-based systems you may use sAMAccountName. For Linux and other systems, you may wish to use uid (default). You can also use any alternate key.
Default value:
"uid"
Type: time
Last update date of the object.

Logout

Perform logout operations. This is only used to unset the secure cookie token for now.

Relations

Performs a logout operation.

OIDCProvider

Allows you to declare a generic OpenID Connect (OIDC) provider that can be used in exchange for a Midgard token.

Example

{ "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2 NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6 peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8 -----END CERTIFICATE-----", "clientID": "6195189841830-0644ee9d89ef0644ee9d89examle.apps.googleusercontent.com", "clientSecret": "Ytgbfjtj4652jHDFGls99jF", "default": false, "endpoint": "https://accounts.google.com", "name": "the name", "protected": false, "scopes": [ "email", "profile" ], "subjects": [ "email", "profile" ] }

Relations

Retrieves the list of OIDC providers.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new OIDC provider.
Deletes the provider with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the provider with the given ID.
Updates the provider with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
Set the CA to use to contact the OIDC server. This is useful when you are using a custom OIDC provider that doesn’t use a trusted CA. Most of the time, you can leave this property empty.
Type: string
Unique client ID.
Type: string
Client secret associated with the client ID.
Type: time
Creation date of the object.
Type: boolean
If set, this will be the default OIDC provider. There can be only one default provider in your account. When logging in with OIDC, if no provider name is given, the default will be used.
Type: string
Description of the object.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: string
Contains the parent Microsegmentation account ID.
Type: string
Contains the name of the parent Microsegmentation account.
Type: boolean
Defines if the object is protected.
Type: []string
List of scopes to allow.
Type: []string
List of claims that will provide the subject.
Type: time
Last update date of the object.

PCCProvider

Allows you to declare a trusted Prisma Cloud Compute (PCC) authentication provider. Microsegmentation will accept JSON web tokens (JWT) from the specified PCC provider.

Example

{ "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2 NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6 peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8 -----END CERTIFICATE-----", "default": false, "endpoint": "https://my.pcc.acme.com", "name": "the name", "protected": false }

Relations

Retrieves the list of the PCC providers.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new PCC provider.
Deletes the provider with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the provider with the given ID.
Updates the provider with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
Set the CA to use to contact the PCC Console in case it uses a non widely trusted certificate authority.
Type: time
Creation date of the object.
Type: boolean
If set, this will be the default PCC provider. There can be only one default provider in your account. When logging in with PCC, if no provider name is given, the default will be used.
Type: string
The URL of the PCC service. It must use HTTPS.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Defines if the object is protected.
Type: time
Last update date of the object.

SAMLProvider

Allows you to declare a generic SAML provider that can be used in exchange for a Midgard token.

Example

{ "IDPCertificate": "-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----", "IDPIssuer": "https://accounts.google.com/o/saml2/idp?idpid=AbDcef123", "IDPURL": "https://accounts.google.com/o/saml2/idp?idpid=AbDcef123", "default": false, "name": "the name", "protected": false, "subjects": [ "email", "profile" ] }

Relations

Retrieves the list of the namespace SAML providers.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new LDAP provider.
Deletes the provider with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the provider with the given ID.
Updates the provider with the given ID.

Attributes

Type: string
Identifier of the object.
Type: string
Identity provider certificate in PEM format.
Type: string
Identity Provider Issuer (also called Entity ID).
Type: string
Pass some XML data containing the IDP metadata that can be used for automatic configuration. If you pass this attribute, every other one will be overwritten with the data contained in the metadata file.
Type: string
URL of the identity provider.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: boolean
If set, this will be the default SAML provider. There can be only one default provider in your account. When logging in with SAML, if no provider name is given, the default will be used.
Type: string
Description of the object.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Defines if the object is protected.
Type: []string
List of claims that will provide the subject.
Type: time
Last update date of the object.

core/billing

Invoice

Provides access to Microsegmentation customer invoices.

Example

{ "billedToProvider": "Aporeto" }

Relations

Deletes the invoice with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the invoice with the given ID.
Updates the invoice with the given ID.

Attributes

Type: string
The ID of the invoice.
Type: string
The ID of the customer that this invoice belongs to.
The name of the provider that this invoice was billed to.
Default value:
"Aporeto"
Type: time
Creation date of the object.
Type: time
The end date of the invoice.
Type: time
The start date of this invoice.
Type: time
Last update date of the object.

InvoiceRecord

Provides detailed records of invoices for Microsegmentation customers.

Relations

Deletes the object with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.
Updates the object with the given ID.

Attributes

Type: string
The ID of the invoice record.
Type: time
Creation date of the object.
Type: string
The ID of the invoice associated with the invoice record.
Type: []string
Details about billing units.
Type: time
Last update date of the object.

Plan

Contains the various billing plans available.

Relations

Retrieves the list of plans.
Retrieves the plan with the given ID.

Attributes

Type: string
Contains the description of the plan.
Type: string
Contains the key identifier of the plan.
Type: string
Contains the name of the plan.

core/enforcer

CounterReport

Post a new counter tracing report.

Example

{ "enforcerID": "xxxx-xxx-xxxx", "enforcerNamespace": "/my/namespace", "namespace": "/my/namespace", "processingUnitID": "xxx-xxx-xxx", "processingUnitNamespace": "/my/namespace", "timestamp": "2018-06-14T23:10:46.420397985Z" }

Relations

Create a counter report.

Attributes

Type: integer
Counter for sending FIN ACK received in unknown connection state.
Type: integer
Counter for ACK packet dropped because of invalid format.
Type: integer
Counter for ACK packets rejected as per policy.
Type: integer
Counter for ACK packet dropped because signature validation failed.
Type: integer
Counter for TCP authentication option not found.
Type: integer
Counter for connections processed.
Type: integer
Counter for unable to find ContextID.
Type: integer
Counter for no ACLs found for external services. Dropping application SYN packet.
Type: string
Identifier of the object.
Type: integer
Counter for invalid connection state.
Type: integer
Counter for invalid net state.
Type: integer
Counter for invalid protocol.
Type: integer
Counter for processing unit is already dead - drop SYN ACK packet.
Type: integer
Counter for processing unit mark not found.
Type: integer
Counter for network SYN packet was not seen.
Type: integer
Counter for no context or connection found.
Type: integer
Counter for traffic that belongs to a non-processing unit process.
Type: integer
Counter for SYN ACK for flow with processed FIN ACK.
Type: integer
Counter for port not found.
Type: integer
Counter for reject the packet as per policy.
Type: integer
Counter for post service processing failed for network packet.
Type: integer
Counter for network packets that failed preprocessing.
Type: integer
Counter for SYN ACK packet dropped because of bad claims.
Type: integer
Counter for SYN ACK packet dropped because of encryption mismatch.
Type: integer
Counter for SYN ACK from external service dropped.
Type: integer
Counter for SYN ACK packet dropped because of invalid format.
Type: integer
Counter for SYN ACK packet dropped because of no claims.
Type: integer
Counter for SYN ACK packet dropped because of missing token.
Type: integer
Counter for TCP authentication option not found.
Type: integer
Counter for dropping because of reject rule on transmitter.
Type: integer
Counter for SYN packet dropped because of invalid format.
Type: integer
Counter for SYN packet dropped because of invalid token.
Type: integer
Counter for SYN packet dropped because of no claims.
Type: integer
Counter for TCP authentication option not found.
Type: integer
Counter for SYN packet dropped due to policy.
Type: integer
Counter for received SYN packet from unknown processing unit.
Type: integer
Counter for TCP authentication option not found.
Type: integer
Counter for UDP ACK packet dropped due to an invalid signature.
Type: integer
Counter for number of processed UDP connections.
Type: integer
Counter for dropped UDP data packets with no context.
Type: integer
Counter for dropped UDP FIN handshake packets.
Type: integer
Counter for dropped UDP in NfQueue.
Type: integer
Counter for dropped UDP data packets with no connection.
Type: integer
Counter for dropped UDP data packets.
Type: integer
Counter for dropped UDP queue full.
Type: integer
Counter for dropped UDP SYN ACK handshake packets.
Type: integer
Counter for UDP packets received in invalid network state.
Type: integer
Counter for UDP packets failing postprocessing.
Type: integer
Counter for UDP packets failing preprocessing.
Type: integer
Counter for UDP packets dropped due to policy.
Type: integer
Counter for UDP SYN ACK packets dropped due to bad claims.
Type: integer
Counter for UDP SYN ACK packets dropped due to missing claims.
Type: integer
Counter for UDP SYN ACK packets dropped due to bad claims.
Type: integer
Counter for dropped UDP SYN transmits.
Type: integer
Counter for dropped UDP SYN policy.
Type: integer
Counter for dropped UDP FIN handshake packets.
Type: integer
Counter for UDP SYN packet dropped due to missing claims.
Type: integer
Counter for unknown error.
Type: integer
Non-zero counter indicates analyzed connections for unencrypted, encrypted, and packets from endpoint applications with the TCP Fast Open option set. These are not dropped counter.
Type: integer
Non-zero counter indicates dropped connections because of invalid state, non-processing unit traffic, or out of order packets.
Type: integer
Non-zero counter indicates expired connections because of response not being received within a certain amount of time after the request is made.
Type: integer
Non-zero counter indicates dropped packets that did not hit any of our iptables rules and queue drops.
Type: integer
Non-zero counter indicates encryption processing failures of data packets.
Type: string
Identifier of the enforcer sending the report.
Type: string
Namespace of the enforcer sending the report. This field is deprecated. Use the 'namespace' field instead. field instead.
Type: integer
Non-zero counter indicates connections going to and from external networks. These may be drops or allowed counters.
Type: string
Namespace of the enforcer sending the report.
Type: integer
Non-zero counter indicates packets dropped due to a reject policy.
Type: string
PUID is the ID of the processing unit reporting the counter.
Type: string
Namespace of the processing unit reporting the counter.
Type: time
Timestamp is the date of the report.
Type: integer
Non-zero counter indicates packets rejected due to anything related to token creation/parsing failures.

Enforcer

Contains all parameters associated with a registered enforcer. The object is mainly maintained by the enforcers themselves. Users can read the object in order to understand the current status of the enforcers.

Example

{ "FQDN": "server1.domain.com", "certificateRequest": "-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----", "collectInfo": false, "detectedHostModeContainers": false, "enforcementStatus": "Inactive", "lastCollectionID": "xxx-xxx-xxx-xxx -", "logLevel": "Info", "logLevelDuration": "10s", "machineID": "3F23E8DF-C56D-45CF-89B8-A867F3956409", "migrationStatus": "None", "name": "the name", "operationalStatus": "Registered", "protected": false }

Relations

Retrieves the list of enforcers.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new enforcer.
Deletes the enforcer with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the enforcer with the given ID.
Updates the enforcer with the given ID.
Returns the list of enforcers that are affected by this mapping.
Returns the list of enforcers affected by an enforcer profile mapping.
Returns the list of enforcers that are affected by this mapping.
Returns a list of the audit profiles that must be applied to this enforcer.
Retrieves the list of debug bundles.
Uploads a debug bundle.
Returns the enforcer profile that must be used by a enforcer.
Sends a enforcer refresh command.
Returns a list of the host services policies that apply to this enforcer.
Parameters:
  • appliedServices (boolean): Valid when retrieved for a given enforcer and returns the applied services.
  • setServices (boolean): Instructs Microsegmentation Console to cache the services that were resolved.
Sends a poke empty object. This is used to ensure a enforcer is up and running.
Parameters:
Returns the list of certificate authorities that should be trusted by this enforcer.
Parameters:

Attributes

Type: string
Contains the fully qualified domain name (FQDN) of the server where the enforcer is running.
Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
The certificate of the enforcer.
Type: string
If not empty during a create or update operation, the provided certificate signing request (CSR) will be validated and signed by the Microsegmentation Console, providing a renewed certificate.
Type: boolean
Indicates to the enforcer whether or not it needs to collect information.
Represents the latest information collected by the enforcer.
Type: string
The Microsegmentation Console identifier managing this object. This property is mostly useful when federating multiple Microsegmentation Consoles.
Type: time
Creation date of the object.
Type: string
The version number of the installed enforcer binary.
Type: string
Description of the object.
Type: boolean
This field indicates whether the enforcer has detected host mode containers.
Status of the enforcement for host services.
Default value:
"Inactive"
Type: string
Identifies the last collection.
Type: time
Identifies when the information was collected.
Type: time
Last migration date of the enforcer.
Type: time
The time and date of the last heartbeat.
Type: string
Contains the initial chain of trust for the enforcer. This value is only given when you retrieve a single enforcer.
Log level of the enforcer.
Default value:
"Info"
Type: string
Determines the duration of which the log level will be active, using Golang duration syntax.
Default value:
"10s"
Type: string
A unique identifier for every machine as detected by the enforcer. It is based on hardware information such as the SMBIOS UUID, MAC addresses of interfaces, or cloud provider IDs.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Defines the migration status.
Default value:
"None"
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: string
Defines the next version the enforcer will be migrated to.
Type: []string
Contains the list of normalized tags of the entities.
The status of the enforcer.
Default value:
"Registered"
Type: boolean
Defines if the object is protected.
Type: string
The public token of the server that will be included in the datapath and is signed by the private certificate authority.
Type: time
The time and date on which this enforcer was started. The enforcer reports this and the value is preserved across disconnects.
Type: []string
Local subnets of this enforcer.
Type: boolean
The Microsegmentation Console sets this value to true if it hasn’t heard from the enforcer in the last five minutes.
Type: time
Last update date of the object.

EnforcerLog

An enforcer log represents the log collected by an enforcer. Each enforcer log can have partial or complete data. The collectionID is used to aggregate the multipart data into one.

Example

{ "collectionID": "xxx-xxx-xxx-xxx", "enforcerID": "xxx-xxx-xxx-xxx", "protected": false }

Relations

Retrieves the list of enforcerlogs.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new enforcerlog.
Retrieves the enforcerlog with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
Contains the ID of the enforcer log. CollectionID is used to aggregate the multipart data.
Type: time
Creation date of the object.
Type: string
Represents the data collected by the enforcer.
Type: string
ID of the enforcer.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: integer
Number assigned to each log in the increasing order.
Type: boolean
Defines if the object is protected.
Type: string
Title of the log.
Type: time
Last update date of the object.

EnforcerReport

Post a new enforcer statistics report.

Example

{ "CPULoad": 10, "enforcerID": "xxx-xxx-xxx-xxx", "licenseType": "Host", "memory": 10000, "name": "aporeto-enforcerd-xxx", "namespace": "/my/ns", "processes": 10, "timestamp": "2018-06-14T23:10:46.420397985Z" }

Relations

Create an enforcer statistics report.

Attributes

Type: float
Total CPU utilization of the enforcer as a percentage of vCPUs.
Type: string
Identifier of the object.
Type: string
ID of the enforcer.
Type of license for this enforcer.
Default value:
"Host"
Type: integer
Total resident memory used by the enforcer in bytes.
Type: string
Name of the enforcer.
Type: string
Namespace of the enforcer.
Type: integer
Number of active processes of the enforcer.
Type: time
Date of the report.

EnforcerTraceReport

Post a new enforcer trace that determines how packets are.

Example

{ "enforcerID": "5c6cce207ddf1fc159a104bf", "enforcerNamespace": "/acme/prod", "namespace": "/acme/prod/database", "puID": "5c6ccd947ddf1fc159a104b7" }

Relations

Create an enforcer trace report.

Attributes

Type: string
ID of the enforcer where the trace was collected.
Type: string
Namespace of the enforcer where the trace was collected.
Type: string
Namespace of the processing unit where the trace was collected.
Type: string
ID of the processing unit where the trace was collected.

PacketReport

Post a new packet tracing report.

Example

{ "destinationPort": 11000, "encrypt": false, "enforcerID": "xxxx-xxx-xxxx", "enforcerNamespace": "/my/namespace", "event": "Rcv", "mark": 123123, "namespace": "/my/namespace", "packetID": 12333, "protocol": 6, "puID": "xxx-xxx-xxx", "rawPacket": "abcd", "sourcePort": 80, "timestamp": "2018-06-14T23:10:46.420397985Z", "triremePacket": true }

Relations

Create a packet trace report.

Attributes

Type: string
Identifier of the object.
Type: integer
Flags are the TCP flags of the packet.
Type: []string
Claims is the list of claims detected for the packet.
Type: string
The destination IP address of the packet.
Type: integer
The destination port of a TCP or UDP packet.
Type: string
If event is set to Dropped, contains the reason that the packet was dropped. Otherwise empty.
Type: boolean
Set to true if the packet was encrypted.
Type: string
Identifier of the enforcer sending the report.
Type: string
Namespace of the enforcer sending the report.
The event that triggered the report.
Type: integer
Mark is the mark value of the packet.
Type: string
Namespace of the processing unit reporting the packet.
Type: integer
The ID of the IP header of the reported packet.
Type: integer
Protocol number.
Type: string
The ID of the processing unit reporting the packet.
Type: string
The first 64 bytes of the packet.
Default value:
"abcd"
Type: string
The source IP address of the packet.
Type: integer
The source port of the packet.
Type: time
The time-date stamp of the report.
Type: boolean
Set to true if the packet arrived with the Trireme options (default).
Default value:
true

PingPair

Represents a pair of ping probes.

Attributes

Type: pingprobe
Contains the request probe information.
Type: pingprobe
Contains the response probe information.

PingProbe

Represents the result of a unique ping probe. They are aggregated into a PingResult.

Example

{ "applicationListening": false, "claimsType": [ "Transmitted" ], "enforcerID": "xxx-xxx-xxx-xxx", "enforcerNamespace": "/my/ns", "excludedNetworks": false, "isServer": false, "payloadSizeType": [ "Transmitted" ], "pingID": "xxx-xxx-xxx-xxx", "remoteEndpointType": [ "External" ], "remoteNamespaceType": [ "Plain" ], "targetTCPNetworks": false, "type": [ "Request" ] }

Relations

Retrieves a ping result.

Attributes

Type: string
Action of the ACL policy.
Type: string
ID of the ACL policy.
Type: string
Identifier of the object.
Type: string
Time taken for a single request-response to complete.
Type: boolean
If true, application responded to the request.
Type: []string
Claims of the processing unit.
Type of claims reported.
Type: time
Creation date of the object.
Type: string
ID of the enforcer.
Type: string
Namespace of the enforcer.
Type: string
Semantic version of the enforcer.
Type: string
A non-empty error indicates a failure.
Type: boolean
If true, destination IP is in excludedNetworks.
Type: string
Four tuple in the format <sip:dip:spt:dpt>.
Type: boolean
If true, the report was generated by the server.
Type: integer
Holds the iteration number this probe is attached to.
Type: string
Namespace tag attached to an entity.
Type: integer
Size of the payload attached to the packet.
Type of the payload size.
Type: string
Represents the expiry of the peer certificate.
Type: string
Represents the issuer of the peer certificate.
Type: string
Represents the subject of the peer certificate.
Type: string
PingID unique to a single ping control.
Type: string
Action of the policy.
Type: string
ID of the policy.
Type: string
ID of the policy.
Type: string
ID of the reporting processing unit.
Type: integer
Protocol used for the communication.
Type: string
Controller of the remote endpoint.
Represents the remote endpoint type.
Type: string
Namespace of the remote processing unit.
Type of the namespace reported.
Type: string
ID of the remote processing unit.
Type: integer
Sequence number of the TCP packet. number.
Type: string
ID of the service If the service type is a proxy.
Type: string
Type of the service.
Type: boolean
If true, destination IP is in targetTCPNetworks.
Type of the report.
Type: time
Last update date of the object.

PingRequest

Initiates a ping request for enforcer debugging.

Example

{ "iterations": 1, "refreshID": "xxxx-xxxx-xxxx" }

Relations

Initiate a new the ping request.

Attributes

Type: integer
Number of probes that will be triggered.
Default value:
1
Type: string
Unique ID generated for each ping request.
Type: string
Contains the refresh ID set by processing unit refresh event.

PingResult

Represents the results of a ping request.

Relations

Retrieves a ping result.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.

Attributes

Type: string
Identifier of the object.
Type: time
Creation date of the object.
Type: []string
May contain a list of errors that have happened during the collection.
Type: string
Namespace tag attached to an entity.
Type: string
Contains the Ping ID.
Contains the result of aggregated ping pairs.
Type: string
Contains the refresh ID set by processing unit refresh event.
Contains information about missing probes in the result. This field will be populated in the ping probe is managed by a remote controller (federation) or is stored in a namespace you don’t have any permissions on.
Type: time
Last update date of the object.

RemotePingProbe

Represents information about a remote ping probe that is governed by a different set of permissions.

Attributes

Type: string
The controller ID that manages the ping report.
Type: string
The namespace where the ping report is stored. Only applicable when the remote controller is empty.
Type of the namespace reported. It can be hash or plain, depending on various factors.
Type: string
The ID of the probe. Only applicable when the remote controller is empty.

TraceMode

Represents the tracing mode to apply to a processing unit.

Example

{ "IPTables": false, "applicationConnections": false, "interval": "10s", "networkConnections": false }

Attributes

Type: boolean
Instructs the enforcers to provide an iptables trace for a processing unit.
Type: boolean
Instructs the enforcer to send records for all application-initiated connections.
Type: string
Determines the length of the time interval that the trace must be enabled, using Golang duration syntax.
Default value:
"10s"
Type: boolean
Instructs the enforcer to send records for all network-initiated connections.

TraceRecord

Represents a single trace record from the enforcer.

Example

{ "TTL": 64, "chain": "PREROUTING", "destinationIP": "10.1.1.30", "destinationInterface": "en0", "destinationPort": 80, "length": 98, "packetID": 10, "protocol": 80, "ruleID": 10, "sourceIP": "10.1.1.30", "sourceInterface": "en0", "sourcePort": 80, "tableName": "raw", "timestamp": "2018-06-14T23:10:46.420397985Z" }

Attributes

Type: integer
The time to live (TTL) value of the packet.
Type: string
Chain that the trace was collected from.
Type: string
The destination IP.
Type: string
The destination interface of the packet.
Type: integer
The destination UPD or TCP port of the packet.
Type: integer
Length of the observed packet.
Type: integer
The IP packet header ID.
Type: integer
The protocol of the packet.
Type: integer
Priority index of the iptables entry that was hit.
Type: string
Source IP of the packet.
Type: string
Source interface of the packet.
Type: integer
Source TCP or UDP port of the packet.
Type: string
The iptables name that the trace collected.
Type: time
The time-date stamp of the report.

core/monitoring

Activity

Contains logs of all the activity that happened in a namespace. All successful or failed actions will be available, errors, as well as the claims of the user who triggered the actions. This log is capped and only keeps the last 50,000 entries by default.

Relations

Retrieves the list of activity logs.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.

Attributes

Type: string
Identifier of the object.
Type: object
Claims of the user who performed the operation.
Type: object
This is deprecated in favor of diff.
Type: time
Time-date stamp of the notification.
Type: string
Contains the diff of the change.
Type: object
Contains the error.
Type: string
Message of the notification.
Type: string
Namespace tag attached to an entity.
Type: string
Describes what kind of operation the notification represents.
Type: string
Contains meta information about the source.
Type: string
The identity of the related object.

Alarm

Represents an event requiring attention.

Example

{ "content": "This is an alarm", "emails": [ "amir@aporeto.com", "john@aporeto.com" ], "kind": "aporeto.alarm.kind", "name": "the name", "protected": false, "status": "Open" }

Relations

Retrieves all the alarms.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new alarm.
Deletes the object with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.
Updates the object with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
Content of the alarm.
Type: time
Creation date of the object.
Data represent user data related to the alarms.
Type: string
Description of the object.
Type: []string
A list of recipients that should be emailed when this alarm is created.
Type: string
Identifies the kind of alarm. If two alarms are created with the same identifier, then only the occurrence will be incremented.
Type: time
Time and date of the alarm set by the enforcer.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Number of times this alarm has been seen.
Type: boolean
Defines if the object is protected.
Status of the alarm.
Default value:
"Open"
Type: time
Last update date of the object.

EventLog

Allows you to report various events on any object.

Example

{ "category": "enforcerd:policy", "content": "Unable to activate docker container xyz because abc.", "level": "Info", "targetID": "xxx-xxx-xxx-xxx", "targetIdentity": "processingunit", "title": "Error while activating processing unit." }

Relations

Creates a new event log for a particular entity.

Attributes

Type: string
Identifier of the object.
Type: string
Category of the event log.
Type: string
Content of the event log.
Type: time
Creation date of the event log.
Sets the log level.
Default value:
"Info"
Type: string
Namespace tag attached to the event log.
Type: string
Opaque data that can be attached to the event log, for further machine processing.
Type: string
ID of the object this event log is attached to. The object must be in the same namespace than the event log.
Type: string
Identity of the object this event log is attached to.
Type: time
Creation date of the event log.
Type: string
Title of the event log.

HealthCheck

This API allows to retrieve a generic health state of the platform. A return code different from 200 OK means the platform is not operational. The health check contains the list of observed sub system.

Relations

Retrieve the health of the platform.
Parameters:
  • quiet (boolean): If set to true, the health check endpoint will not return data but will return 200 OK if everything is fine or 218 if the controller is not operational. This is useful when you want to use the health check endpoint as a load balancer health check.

Attributes

Type: []string
A human readable alert list describing the current state of the sub system if available.
Type: string
The name of the observed sub system if applicable.
Type: string
The response time of the observed sub system if applicable.
The current health of the observed sub system.

Message

Allows you to post public messages that will be visible through all children namespaces.

Example

{ "level": "Info", "name": "the name", "propagate": false, "protected": false, "validity": "12h" }

Relations

Retrieves the list of messages.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new message.
Deletes the message with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the message with the given ID.
Parameters:
Updates the message with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: time
The time after which the message will be deleted.
Importance of the message.
Default value:
"Info"
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
Type: time
Last update date of the object.
Type: string
Sets when the message will be automatically deleted using Golang duration syntax.

core/namespace

DefaultEnforcerVersion

Returns the default enforcer version of the specified namespace.

Relations

Returns the default enforcer version of the specified namespace.
Modify the default enforcer version of the specified namespace.

Attributes

Type: string
The default enforcer version for the namespace.

LocalCA

Can be used to retrieve or renew the local and SSH certificate authorities of the namespace.

Example

{ "SSHCertificateRenew": false, "certificateRenew": false }

Relations

Returns the local and SSH certificate authorities of the namespace.
Renews the local and/or SSH certificate authorities of the namespace.

Attributes

Type: string
The SSH certificate authority used by the namespace.
Type: boolean
Set to true to renew the SSH certificate authority of the namespace.
Type: string
The certificate authority used by the namespace.
Type: boolean
Set to true to renew the certificate authority of the namespace.

Namespace

A namespace represents the core organizational unit of the system. All objects always exist in a single namespace. A namespace can also have child namespaces. They can be used to split the system into organizations, business units, applications, services or any combination you like.

Example

{ "JWTCertificateType": "None", "SSHCAEnabled": false, "customZoning": false, "defaultPUIncomingTrafficAction": "Inherit", "defaultPUOutgoingTrafficAction": "Inherit", "localCAEnabled": false, "name": "mynamespace", "protected": false, "serviceCertificateValidity": "168h", "type": "Default" }

Relations

Retrieves the list of namespaces.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new namespace.
Deletes the namespace with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the namespace with the given ID.
Updates the namespace with the given ID.
Retrieves the OAUTH info for this namespace.
Parameters:
  • mode (enum(oidc)): When set to type OIDC it will return the data as a raw JSON object and not a Microsegmentation Console-compatible API.
Retrieves the OAUTH info for this namespace.
Parameters:
  • mode (enum(oidc)): When set to OIDC it will return the data as a raw JSON object and not a Microsegmentation Console-compatible API.
Returns the list of trusted CAs for this namespace.
Parameters:

Attributes

Type: string
Identifier of the object.
JWTCertificateType defines the JWT signing certificate that must be created for this namespace. If the type is none no certificate will be created.
Default value:
"None"
JWTCertificates hold the certificates used to sign tokens for this namespace. This is map indexed by the ID of the certificate.
Type: boolean
If true, an SSH certificate authority (CA) will be generated for the namespace. This CA can be deployed in SSH server to validate SSH certificates issued by the controller.
Stores additional information about an entity.
Type: string
The remote ID of the SSH certificate authority to use.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: boolean
Defines if the namespace should inherit its parent zone. If this property is set to false, the zoning property will be ignored and the namespace will have the same zone as its parent.
Type: string
Indicates the default enforcer version for this namespace.
Describes the default action a processing unit will take for incoming traffic for this namespace.
Default value:
"Inherit"
Describes the default action a processing unit will take for outgoing traffic for this namespace.
Default value:
"Inherit"
Type: string
Description of the object.
Type: boolean
Defines if the namespace should use a local certificate authority (CA). Switching it off and on again will regenerate a new CA.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
name $`]
Type: string
The name of the namespace.
Type: string
Namespace tag attached to an entity.
Type: []string
List of tags that will be added to every or clause of all network access policies in the namespace and its children.
Type: []string
Contains the list of normalized tags of the entities.
Type: []string
List of tags that describe this namespace. All organizational tags are automatically passed to policeable objects (e.g., processing units, external networks, enforcers) during their creation.
Type: boolean
Defines if the object is protected.
Type: string
This flag is deprecated and has no incidence.
Default value:
"168h"
Type: []string
List of tag prefixes that will be used to suggest policies. Only these tags will be transmitted on the wire.
The type defines the purpose of the namespace:
  • Default: A universal namespace that is capable of all actions and views.
  • Tenant: A namespace that houses a tenant (e.g. ACME).
  • CloudAccount: A child namespace of a tenant that houses a cloud provider account.
  • Group: A child namespace of a cloud account that houses a managed group.
  • Kubernetes: A child namespace of a group that houses a Kubernetes cluster (automatically created by the enforcer).
Default value:
"Default"
Type: time
Last update date of the object.
Type: integer
Defines what zone the namespace should live in.

NamespaceMappingPolicy

A namespace mapping defines the namespace a processing unit should be placed when it is created, based on its tags. When an enforcer creates a new processing unit, the system will place it in its own namespace if no matching namespace mapping can be found. If one match is found, then the processing unit will be bumped down to the namespace declared in the namespace mapping. If it finds in that child namespace another matching namespace mapping, then the processing unit will be bumped down again, until it reaches a namespace with no matching namespace mappings. This is very useful to dispatch processes and containers into a particular namespace, based on a lot of factors. For example, you can put in place a quarantine namespace mapping that will grab all processing units with excessive vulnerabilities.

Example

{ "disabled": false, "mappedNamespace": "/blue/namespace", "name": "the name", "protected": false, "subject": [ [ "color=blue" ] ] }

Relations

Retrieves the list namespace mappings.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new namespace mapping.
Deletes the mapping with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the mapping with the given ID.
Updates the mapping with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: string
The namespace to map the subject to.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Defines if the object is protected.
A tag or tag expression identifying the entity to be mapped.
Type: time
Last update date of the object.

NamespacePolicyInfo

Returns the policy info of the specified namespace.

Example

{ "PUIncomingTrafficAction": "Allow", "PUOutgoingTrafficAction": "Allow" }

Relations

Returns the policy info of the specified namespace.

Attributes

The processing unit action for incoming traffic for the namespace.
The processing unit action for outgoing traffic for the namespace.
Type: []string
List of tag prefixes that will be used to suggest policies.

NamespaceRenderer

This object allows you to determine which namespace an object should reside in based on the tags provided.

Example

{ "tags": [ "a=a", "b=b" ] }

Relations

Renders the namespace where an object should reside.

Attributes

Type: string
The namespace where the object should reside in.
Type: []string
List of tags of the object to render the namespace for.

NamespaceType

Returns the type of the specified namespace.

Relations

Returns the type of the specified namespace.

Attributes

Type: string
the namespace type for the current namespace.

OrganizationalMetadata

Can be used to retrieve the organizational metadata of the namespace.

Relations

Retrieves the list of organizational metadata for the namespace and its namespace hierarchy.

Attributes

Type: []string
List of organizational metadata for the namespace.
Type: string
Namespace tag attached to an entity.

TagPrefix

Returns the tag prefixes of the specified namespace.

Relations

Returns the tag prefixes of the specified namespace.
Modify the tag prefixes of the specified namespace.

Attributes

Type: []string
List of tag prefixes that will be used to suggest policies. Only these tags will be transmitted on the wire.

core/policy

ClauseMatch

This API allows to pass a set of tags and find the objects that would match the clause in a policy resolution.

Example

{ "clauses": [ [ "color=blue", "size=big" ], [ "color=red" ] ], "targetIdentity": "processingunit" }

Relations

Performs a clause matching.

Attributes

The tag clause to resolve.
Contains the matched objects.
Type: string
The identity to render the clauses from.

EnforcerRefresh

Sent to enforcers when a poke has been triggered using the parameter ?notify=true. This is used to notify an enforcer of an external change on the processing unit that must be processed.

Example

{ "debug": "Counters", "propagate": false, "refreshType": "Debug", "selector": [ [ "$namespace=/a/b" ] ] }

Relations

Create an enforcer refresh report.
Sends a enforcer refresh command.

Attributes

Type: string
Contains the ID of the target enforcer.
Set the debug information collected by the enforcer.
Default value:
"Counters"
Type: string
Can be used to correlate with a DebugBundle.
Type: string
Packet capture filter, syntax varying by platform.
Type: string
Isolates debug information to a given processing unit, where possible.
Type: string
Defines the version to migrate enforcers.
Type: string
Contains the original namespace of the enforcer.
Type: boolean
Propagates the policy to all of its children.
Indicates the type of refresh.
Default value:
"Debug"
Request a command for the enforcers matching the following tag expression.

NetworkRule

Represents an ingress or egress network rule.

Example

{ "action": "Allow", "logsDisabled": false, "observationEnabled": false }

Attributes

Defines the action to apply to a flow.
  • Allow: allows the defined traffic.
  • Reject: rejects the defined traffic; useful in conjunction with an allow all policy.
Default value:
"Allow"
Type: boolean
If true, the relevant flows will not be reported to the Microsegmentation Console. Under some advanced scenarios you may wish to set this to true, such as to save space or improve performance.
Type: string
A user defined name to keep track of the rule in the reporting.
A list of IP CIDRS or FQDNS that identify remote endpoints.
Identifies the set of remote workloads that the rule relates to. The selector will identify both processing units as well as external networks that match the selector.
Type: boolean
If set to true, the flow will be in observation mode.
Default value:
false
Type: []string
Represents the ports and protocols this policy applies to. Protocol/ports are defined as tcp/80, udp/22. For protocols that do not have ports, the port designation is not allowed.

NetworkRuleNet

Represents an network contained in a NetworkRule.

Attributes

Type: string
The ID of the external network.
Type: []string
List of CIDRs or domain name.
Type: string
The namespace of the external network.

Policy

Represents the policy primitive used by all Microsegmentation policies.

Example

{ "disabled": false, "fallback": false, "name": "the name", "propagate": false, "propagationHidden": false, "protected": false, "type": "APIAuthorization" }

Relations

Retrieves the list of policy primitives.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Deletes the object with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.

Attributes

Type: string
Identifier of the object.
Defines a set of actions that must be enforced when a dependency is met.
Type: string
Defines for how long the policy will be active according to the activeSchedule.
Type: string
Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: time
If set the policy will be automatically deleted at the given time.
Type: boolean
Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Represents set of entities that another entity depends on. As subjects, objects are identified as logical operations on tags when a policy is defined.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.
Type: boolean
Defines if the object is protected.
Type: []string
Describes the required operation to be performed between subjects and objects.
Represents sets of entities that will have a dependency other entities. Subjects are defined as logical operations on tags. Logical operations can include AND and OR.
Type: time
Last update date of the object.

PolicyRefresh

Sent to a client as a push event when a policy refresh is needed on their side.

Attributes

Type: string
Contains the original ID of the updated object.
Type: string
Contains the original namespace of the updated object.
Type: string
Contains the policy type that is affected.

PolicyRule

Allows services to retrieve a policy resolution (internal).

Example

{ "name": "the name", "propagated": false }

Relations

Retrieves the object with the given ID.

Attributes

Type: string
Identifier of the object.
Defines set of actions that must be enforced when a dependency is met.
Provides the audit profiles that must be applied.
Provides information about the enforcer profile.
Provides the external network that the policy targets.
Provides the file paths that the policy targets.
Provides the list of host services that must be instantiated.
Provides the isolation profiles of the rule.
Type: string
Name of the entity.
The namespace that the policy targets.
Type: string
The namespace of the policy that created this rule.
Type: time
Last time the policy was updated.
Type: boolean
Indicates if the policy is propagated.
Type: []string
Describes the required operation to be performed between subjects and objects.
Type: []service
Provides the services of this policy rule.
Policy target tags.

ProcessingUnitRefresh

Sent to client when a poke has been triggered using the parameter ?notify=true. This is used to notify a enforcer of an external change on the processing unit must be processed.

Example

{ "debug": false, "pingEnabled": false, "pingIterations": 1, "pingMode": "Auto", "refreshPolicy": false, "traceApplicationConnections": false, "traceDuration": "10s", "traceIPTables": false, "traceNetworkConnections": false }

Relations

Sends a Processing Unit Refresh command.

Attributes

Type: string
Contains the ID of the target processing unit.
Type: boolean
If set to true, start reporting debug information for the target processing unit.
Type: string
Contains the original namespace of the processing unit.
Type: string
Destination address to run ping.
Type: boolean
If set to true, start ping to the destination.
Type: integer
Number of iterations to run a ping probe.
Default value:
1
Represents the mode of ping to be used.
Default value:
"Auto"
Type: integer
Destination port to run ping.
Type: string
ID unique per ProcessingUnitRefresh event.
Type: boolean
If set to true, the target processing unit will refresh its policy immediately.
Type: boolean
Instructs the enforcer to send records for all application-initiated connections for the target processing unit.
Type: string
Determines the length of the time interval that the trace must be enabled, using Golang duration syntax.
Default value:
"10s"
Type: boolean
Instructs the enforcers to provide an iptables trace for the target processing unit.
Type: boolean
Instructs the enforcer to send records for all network-initiated connections for the target processing unit.

RenderedPolicy

Retrieve the aggregated policies applied to a particular processing unit.

Example

{ "defaultPUIncomingTrafficAction": "Reject", "defaultPUOutgoingTrafficAction": "Reject", "processingUnit": "{ \"name\": \"pu\", \"type\": \"Docker\", \"normalizedTags\": [ \"a=a\", \"b=b\" ] }" }

Relations