Core resources

core

Comment

Represents a comment from a user.

Attributes

Type: []string
The claims of the author.
Type: string
The content of the comment.
Type: time
The date of the comment.

DiscoveryMode

(Deprecated) When discovery mode is enabled, all flows are accepted. Flows which do not match an existing network policy will be represented by a dotted line in your Platform view.

Example

{ "propagate": false }

Relations

(Deprecated) Returns the list of discovery modes.
(Deprecated) Deploy the discovery mode assets onto the specified namespace.
(Deprecated) Remove the discovery mode assets with the given import reference ID.
(Deprecated) Retrieve the discovery mode with the given import reference ID.

Attributes

Type: string
Identifier of the object.
Type: string
Namespace tag attached to an entity.
Type: boolean
Propagates the policy to all of its children.

Export

Allows you to obtain a JSON object containing policies and other objects from a given namespace. You can then import this JSON object into a different namespace.

Example

{ "identities": [ "externalnetworks", "networkaccesspolicies" ], "label": "my-import-name" }

Relations

Exports all policies and related objects of a namespace.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.

Attributes

Type: integer
Version of the Microsegmentation Console API used for the exported data.
List of all exported data.
Type: []string
The list of identities to export.
Type: string
Allows you to define a unique label for this export. When importing the content of the export, this label will be added as a tag that will be used to recognize imported object in a later import.

Hit

This API allows to retrieve a generic hit counter for a given object.

Example

{ "name": "counter", "targetIdentity": "networkaccesspolicy" }

Relations

Retrieve a matching hit.
Parameters:
Mandatory Parameters
Manage hits.
Parameters:

Attributes

Type: string
name of the counter.
Default value:
"counter"
Type: string
The ID of the referenced object..
Type: string
The identity of the referenced object.
Type: integer
The value of the hit.

Import

Imports an export of policies and related objects into the namespace.

Example

{ "data": { "externalnetworks": [ { "associatedTags": [ "ext:net=tcp" ], "description": "Represents all TCP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-tcp", "servicePorts": [ "tcp/1:65535" ] }, { "associatedTags": [ "ext:net=udp" ], "description": "Represents all UDP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-udp", "servicePorts": [ "udp/1:65535" ] } ], "networkaccesspolicies": [ { "action": "Allow", "description": "Allows all communication from pu to pu, tcp and udp", "logsEnabled": true, "name": "allow-all-communication", "object": [ [ "$identity=processingunit" ], [ "ext:net=tcp" ], [ "ext:net=udp" ] ], "subject": [ [ "$identity=processingunit" ] ] } ] }, "mode": "Import" }

Relations

Imports data from a previous export.

Attributes

Type: export
Data to import.
How to import the data: ReplacePartial, Import (default), or Remove. ReplacePartial is deprecated. Use Import instead. While you can use ReplacePartial it will be interpreted as Import.
Default value:
"Import"

ImportReference

Allows you to import and keep a reference.

Example

{ "constraint": "Unrestricted", "data": { "externalnetworks": [ { "associatedTags": [ "ext:net=tcp" ], "description": "Represents all TCP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-tcp", "servicePorts": [ "tcp/1:65535" ] }, { "associatedTags": [ "ext:net=udp" ], "description": "Represents all UDP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-udp", "servicePorts": [ "udp/1:65535" ] } ], "networkaccesspolicies": [ { "action": "Allow", "description": "Allows all communication from pu to pu, tcp and udp", "logsEnabled": true, "name": "allow-all-communication", "object": [ [ "$identity=processingunit" ], [ "ext:net=tcp" ], [ "ext:net=udp" ] ], "subject": [ [ "$identity=processingunit" ] ] } ] }, "name": "the name", "protected": false }

Relations

Retrieves the list of import references.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Imports data from a previous export and keep a reference.
Deletes the object with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.
Returns the list of import references that depend on a recipe.
Create an import request for the given recipe.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: []string
Contains the claims of the client that performed the import.
Define the import constraint. If Unrestricted, import can be deployed multiple times. If Unique, only one import is allowed in the current namespace and its child namespaces. If NamespaceUnique, only one import is allowed in the current namespace.
Default value:
"Unrestricted"
Type: time
Creation date of the object.
Type: export
Data to import.
Type: string
Description of the object.
Type: string
Label used for the imported data.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Defines if the object is protected.
Type: time
Last update date of the object.

ImportRequest

Allows you to send an import request to create objects to a namespace where the requester doesn’t normally have the permission to do so (other than creating import requests).
The requester must have the permission to create the request in their namespace and the target namespace.
When the request is created, the status is set to Draft. The requester can edit the content as much as desired. When ready to send the request, update the status to Submitted. The request will then be moved to the target namespace. At that point nobody can edit the content of the requests other than adding comments.
The requestee will now see the request, and will either
  • Set the status as Approved. This will create the objects in the target namespace.
  • Set the status as Rejected. The request cannot be edited anymore and can be deleted.
  • Set the status back as Draft. The request will go back to the requester namespace so that the requester can make changes. Once the change are ready, the requester will set back the status as Submitted.
The data format is the same as Export.

Example

{ "data": { "networkaccesspolicies": [ { "action": "Allow", "description": "Allows Acme to access service A", "logsEnabled": true, "name": "allow-acme", "object": [ [ "$identity=processingunit", "$namespace=/acme/prod", "app=query" ] ], "subject": [ [ "$identity=processingunit", "app=partner-data" ] ] } ] }, "protected": false, "requesterClaims": [ "@auth:realm=vince", "@auth:account=acme" ], "status": "Draft", "targetNamespace": "/acme/prod" }

Relations

Retrieves the list of import requests.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new import request.
Delete an existing import request.
Retrieve a single existing import request.
Update an existing import request.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
A new comment that will be added to commentFeed.
Type: []comment
List of comments that have been added to that request.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Defines if the object is protected.
Type: []string
The identity claims of the requester; populated by the Microsegmentation Console.
Type: string
The namespace from which the request originated; populated by the Microsegmentation Console.
Allows the content to be changed. Submitted: the request moves to the target namespace for approval. Approved: the data will be created immediately. Rejected: the request cannot be changed anymore and can be deleted.
Default value:
"Draft"
Type: string
The namespace where the request will be sent. The requester can set any namespace but needs to have an authorization to post the request in that namespace.
Type: time
Last update date of the object.

Poke

When available, poke can be used to update various information about the parent. For instance, for enforcers, poke will be used as the heartbeat.

Relations

Sends a poke empty object. This is used to ensure a enforcer is up and running.
Parameters:
Sends a poke empty object. This will send a snapshot of the processing unit to the time series database.
Parameters:

PolicyRenderer

Allows you to render policies of a given type for a given set of tags.

Example

{ "processMode": "Subject", "tags": [ "a=a", "b=b" ], "type": "APIAuthorization" }

Relations

Render a policy of a given type for a given set of tags.

Attributes

List of policies rendered for the given set of tags.
Subject (default): Set if the processMode should use the subject. Object: Set if the processMode should use the object. This only has effect when rendering an SSH authorization for now.
Default value:
"Subject"
Type: []string
List of tags of the object to render the hook for.

core/accessiblenamespace

AccessibleNamespace

An Accessible Namespace represents a namespace that can be accessed by a given user.

Example

{ "ID": "123-4343-54343" }

Relations

Retrieves the list of accessible namespaces.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.

Attributes

Type: string
Identifier of the namespace that is accessible.
Type: string
Name of the namespace that is accessible.
Type: string
Namespace tag attached to an entity.

core/account

Account

Allows you to view and manage basic information about your account like your name, password, and whether or not two-factor authentication is enabled.

Example

{ "OTPEnabled": false, "SSHCARenew": false, "accessEnabled": false, "company": "Acme", "email": "user@acme.com", "firstName": "John", "lastName": "Doe", "localCARenew": false, "name": "acme" }

Relations

Retrieves all accounts. This is a private API that can only be done by the system.
Parameters:
Creates a new account.
Deletes the object with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.
Updates the object with the given ID.

Attributes

Type: string
Identifier of the object.
Type: boolean
Enable or disable two-factor authentication.
Type: string
Returns the base64-encoded QR code for setting up two-factor authentication.
Type: string
Holds the SSH certificate authority used by the account namespace.
Type: boolean
Set to true to renew the SSH certificate authority of the account namespace.
Type: boolean
Defines if the account holder should have access to the system.
Type: string
Contains the activation token.
Type: string
Holds the ID of the associated billing customer.
Type: string
Contains the plan key associated with this account.
Type: string
Company of the account user.
Type: time
Creation date of the object.
Type: string
Email of the account holder.
Type: string
First name of the account user.
Type: string
Last name of the account user.
Type: string
The certificate authority used by this namespace.
Type: boolean
Set to true to renew the local certificate authority of the account namespace.
Type: string
Name of the account.
Type: string
New password for the account. If set the previous password must be given through the property password.
Type: string
Password for the account.
Type: string
Contains the completely automated public Turing test (CAPTCHA) validation if reCAPTCHA is enabled.
Status of the account.
Default value:
"Pending"
Type: time
Last update date of the object.

Activate

Used to activate a pending account.

Example

{ "token": "2BB3D52C-DE26-406A-8821-613F102282B0" }

Relations

Activates a pending account.
Parameters:
Mandatory Parameters

Attributes

Type: string
Contains the activation token.

PasswordReset

Used to reset a Microsegmentation account password.

Example

{ "password": "NewPassword123@", "token": "436676D4-7ECA-4853-A572-0644EE9D89EF" }

Relations

Sends a link to the account email to reset the password.
Parameters:
Mandatory Parameters
Resets the password for an account using the provided link.

Attributes

Type: string
Contains the new password.
Type: string
Contains the reset password token.

core/authentication

Authn

Verifies if the given token is valid or not. If it is valid it will return the claims of the token.

Relations

Verify the validity of a token. This is deprecated. You should use Create.
Parameters:
Verify the validity of a token.

Attributes

Type: _claims
The claims in the token.
Type: string
The token to verify. This is only used if a POST request is used.

Issue

Issues a new Microsegmentation token according to given data.

Example

{ "audience": "aud:*:*:/namespace", "metadata": { "vinceAccount": "acme", "vinceOTP": 665435, "vincePassword": "s3cr3t" }, "realm": "Vince", "restrictedNamespace": "/namespace", "restrictedNetworks": [ "10.0.0.0/8", "127.0.0.1/32" ], "restrictedPermissions": [ "@auth:role=enforcer", "namespace,post" ], "validity": "24h" }

Relations

Issues a new token.
Parameters:
  • asCookie (boolean): If set to true, the token will be delivered in a secure cookie, and not in the response body.
  • token (string): Token to verify.

Attributes

Type: string
If given, the issued token will only be valid for the specified namespace. Refer to JSON Web Token (JWT)RFC 7519. for further information.
Type: _claims
The claims in the token. It is only set is the parameter asCookie is given.
Type: string
Contains additional data. The value depends on the issuer type.
Contains various additional information. Meaning depends on the realm.
Opaque data that will be included in the issued token.
Type: integer
Restricts the number of times the issued token can be used.
The authentication realm. This will define how to verify credentials from internal or external source of authentication.
Type: string
Restricts the namespace where the token can be used.
For instance, if you have have access to /namespace and below, you can tell the policy engine that it should restrict further more to /namespace/child.
Restricting to a namespace you don’t have initially access according to the policy engine has no effect and may end up making the token unusable.
Type: []string
Restricts the networks from where the token can be used. This will reduce the existing set of authorized networks that normally apply to the token according to the policy engine.
For instance, If you have authorized access from 0.0.0.0/0 (by default) or from 10.0.0.0/8, you can ask for a token that will only be valid if used from 10.1.0.0/16.
Restricting to a network that is not initially authorized by the policy engine has no effect and may end up making the token unusable.
Type: []string
Restricts the permissions of token. This will reduce the existing permissions that normally apply to the token according to the policy engine.
For instance, if you have administrative role, you can ask for a token that will tell the policy engine to reduce the permission it would have granted to what is given defined in the token.
Restricting to some permissions you don’t initially have according to the policy engine has no effect and may end up making the token unusable.
Type: string
The token to use for the registration.
Type: string
Configures the maximum length of validity for a token, using Golang duration syntax. If it is bigger than the configured max validity, it will be capped. Default: 24h.
Default value:
"24h"

LDAPProvider

Allows you to declare a generic LDAP provider that can be used in exchange for a Midgard token.

Example

{ "address": "ldap.company.com", "baseDN": "dc=universe,dc=io", "bindDN": "cn=readonly,dc=universe,dc=io", "bindPassword": "s3cr3t", "bindSearchFilter": "uid={USERNAME}", "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBPzCB5qADAgECAhEAwbx3c+QW24ePXyD94geytzAKBggqhkjOPQQDAjAPMQ0w CwYDVQQDEwR0b3RvMB4XDTE5MDIyMjIzNDA1MFoXDTI4MTIzMTIzNDA1MFowDzEN MAsGA1UEAxMEdG90bzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJi6CwRDeKks Xb3pDEslmFGR7k9Aeh5RK+XmdqKKPGb3NQWEFPGolnqOR34iVuf7KSxTuzaaVWfu XEa94faUQEqjIzAhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MAoG CCqGSM49BAMCA0gAMEUCIQD+nL9RF9EvQXHyYuJ31Lz9yWd9hsK91stnpAs890gS /AIgQIKjBBpiyQNZZWso5H04qke9QYMVPegiQQufFFBj32c= -----END CERTIFICATE-----", "connSecurityProtocol": "InbandTLS", "default": false, "name": "the name", "protected": false, "subjectKey": "uid" }

Relations

Retrieves the list of the namespace LDAP providers.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new LDAP provider.
Deletes the provider with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the provider with the given ID.
Updates the provider with the given ID.

Attributes

Type: string
Identifier of the object.
Type: string
Contains the fully qualified domain name (FQDN) or IP address of the private LDAP server.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
Contains the base distinguished name (DN) to use for LDAP queries. Example: dc=example,dc=com.
Type: string
Contains the DN to use to bind to the LDAP server. Example: cn=admin,dc=example,dc=com.
Type: string
Contains the password to be used with the bindDN to authenticate to the LDAP server.
Type: string
The filter to use to locate the relevant user accounts. For Windows-based systems, the value may be sAMAccountName={USERNAME}. For Linux and other systems, the value may be uid={USERNAME}.
Default value:
"uid={USERNAME}"
Type: string
Can be left empty if the LDAP server’s certificate is signed by a public, trusted certificate authority. Otherwise, include the public key of the certificate authority that signed the LDAP server’s certificate.
Specifies the connection type for the LDAP provider. TLS or InbandTLS (default).
Default value:
"InbandTLS"
Type: time
Creation date of the object.
Type: boolean
If set, this will be the default LDAP provider. There can be only one default provider in your account. When logging in with LDAP, if no provider name is given, the default will be used.
Type: string
Description of the object.
Type: []string
A list of keys that must not be imported into a Microsegmentation authorization. If includedKeys is also set, and a key is in both lists, the key will be ignored.
Type: []string
A list of keys that must be imported into a Microsegmentation authorization. If ignoredKeys is also set, and a key is in both lists, the key will be ignored.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Defines if the object is protected.
Type: string
The key to be used to populate the subject of the Midgard token. If you want to use the user as a subject, for Windows-based systems you may use sAMAccountName. For Linux and other systems, you may wish to use uid (default). You can also use any alternate key.
Default value:
"uid"
Type: time
Last update date of the object.

Logout

Perform logout operations. This is only used to unset the secure cookie token for now.

Relations

Performs a logout operation.

OIDCProvider

Allows you to declare a generic OpenID Connect (OIDC) provider that can be used in exchange for a Midgard token.

Example

{ "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2 NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6 peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8 -----END CERTIFICATE-----", "clientID": "6195189841830-0644ee9d89ef0644ee9d89examle.apps.googleusercontent.com", "clientSecret": "Ytgbfjtj4652jHDFGls99jF", "default": false, "endpoint": "https://accounts.google.com", "name": "the name", "protected": false, "scopes": [ "email", "profile" ], "subjects": [ "email", "profile" ] }

Relations

Retrieves the list of OIDC providers.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new OIDC provider.
Deletes the provider with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the provider with the given ID.
Updates the provider with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
Set the CA to use to contact the OIDC server. This is useful when you are using a custom OIDC provider that doesn’t use a trusted CA. Most of the time, you can leave this property empty.
Type: string
Unique client ID.
Type: string
Client secret associated with the client ID.
Type: time
Creation date of the object.
Type: boolean
If set, this will be the default OIDC provider. There can be only one default provider in your account. When logging in with OIDC, if no provider name is given, the default will be used.
Type: string
Description of the object.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: string
Contains the parent Microsegmentation account ID.
Type: string
Contains the name of the parent Microsegmentation account.
Type: boolean
Defines if the object is protected.
Type: []string
List of scopes to allow.
Type: []string
List of claims that will provide the subject.
Type: time
Last update date of the object.

PCCProvider

Allows you to declare a trusted Prisma Cloud Compute (PCC) authentication provider. Microsegmentation will accept JSON web tokens (JWT) from the specified PCC provider.

Example

{ "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2 NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6 peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8 -----END CERTIFICATE-----", "default": false, "endpoint": "https://my.pcc.acme.com", "name": "the name", "protected": false }

Relations

Retrieves the list of the PCC providers.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new PCC provider.
Deletes the provider with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the provider with the given ID.
Updates the provider with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
Set the CA to use to contact the PCC Console in case it uses a non widely trusted certificate authority.
Type: time
Creation date of the object.
Type: boolean
If set, this will be the default PCC provider. There can be only one default provider in your account. When logging in with PCC, if no provider name is given, the default will be used.
Type: string
The URL of the PCC service. It must use HTTPS.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Defines if the object is protected.
Type: time
Last update date of the object.

SAMLProvider

Allows you to declare a generic SAML provider that can be used in exchange for a Midgard token.

Example

{ "IDPCertificate": "-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----", "IDPIssuer": "https://accounts.google.com/o/saml2/idp?idpid=AbDcef123", "IDPURL": "https://accounts.google.com/o/saml2/idp?idpid=AbDcef123", "default": false, "name": "the name", "protected": false, "subjects": [ "email", "profile" ] }

Relations

Retrieves the list of the namespace SAML providers.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new LDAP provider.
Deletes the provider with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the provider with the given ID.
Updates the provider with the given ID.

Attributes

Type: string
Identifier of the object.
Type: string
Identity provider certificate in PEM format.
Type: string
Identity Provider Issuer (also called Entity ID).
Type: string
Pass some XML data containing the IDP metadata that can be used for automatic configuration. If you pass this attribute, every other one will be overwritten with the data contained in the metadata file.
Type: string
URL of the identity provider.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: boolean
If set, this will be the default SAML provider. There can be only one default provider in your account. When logging in with SAML, if no provider name is given, the default will be used.
Type: string
Description of the object.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Defines if the object is protected.
Type: []string
List of claims that will provide the subject.
Type: time
Last update date of the object.

core/billing

Invoice

Provides access to Microsegmentation customer invoices.

Example

{ "billedToProvider": "Aporeto" }

Relations

Deletes the invoice with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the invoice with the given ID.
Updates the invoice with the given ID.

Attributes

Type: string
The ID of the invoice.
Type: string
The ID of the customer that this invoice belongs to.
The name of the provider that this invoice was billed to.
Default value:
"Aporeto"
Type: time
Creation date of the object.
Type: time
The end date of the invoice.
Type: time
The start date of this invoice.
Type: time
Last update date of the object.

InvoiceRecord

Provides detailed records of invoices for Microsegmentation customers.

Relations

Deletes the object with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.
Updates the object with the given ID.

Attributes

Type: string
The ID of the invoice record.
Type: time
Creation date of the object.
Type: string
The ID of the invoice associated with the invoice record.
Type: []string
Details about billing units.
Type: time
Last update date of the object.

Plan

Contains the various billing plans available.

Relations

Retrieves the list of plans.
Retrieves the plan with the given ID.

Attributes

Type: string
Contains the description of the plan.
Type: string
Contains the key identifier of the plan.
Type: string
Contains the name of the plan.

core/enforcer

CounterReport

Post a new counter tracing report.

Example

{ "enforcerID": "xxxx-xxx-xxxx", "enforcerNamespace": "/my/namespace", "namespace": "/my/namespace", "processingUnitID": "xxx-xxx-xxx", "processingUnitNamespace": "/my/namespace", "timestamp": "2018-06-14T23:10:46.420397985Z" }

Relations

Create a counter report.

Attributes

Type: integer
Counter for sending FIN ACK received in unknown connection state.
Type: integer
Counter for ACK packet dropped because of invalid format.
Type: integer
Counter for ACK packets rejected as per policy.
Type: integer
Counter for ACK packet dropped because signature validation failed.
Type: integer
Counter for TCP authentication option not found.
Type: integer
Counter for connections processed.
Type: integer
Counter for unable to find ContextID.
Type: integer
Counter for no ACLs found for external services. Dropping application SYN packet.
Type: string
Identifier of the object.
Type: integer
Counter for invalid connection state.
Type: integer
Counter for invalid net state.
Type: integer
Counter for invalid protocol.
Type: integer
Counter for processing unit is already dead - drop SYN ACK packet.
Type: integer
Counter for processing unit mark not found.
Type: integer
Counter for network SYN packet was not seen.
Type: integer
Counter for no context or connection found.
Type: integer
Counter for traffic that belongs to a non-processing unit process.
Type: integer
Counter for SYN ACK for flow with processed FIN ACK.
Type: integer
Counter for port not found.
Type: integer
Counter for reject the packet as per policy.
Type: integer
Counter for post service processing failed for network packet.
Type: integer
Counter for network packets that failed preprocessing.
Type: integer
Counter for SYN ACK packet dropped because of bad claims.
Type: integer
Counter for SYN ACK packet dropped because of encryption mismatch.
Type: integer
Counter for SYN ACK from external service dropped.
Type: integer
Counter for SYN ACK packet dropped because of invalid format.
Type: integer
Counter for SYN ACK packet dropped because of no claims.
Type: integer
Counter for SYN ACK packet dropped because of missing token.
Type: integer
Counter for TCP authentication option not found.
Type: integer
Counter for dropping because of reject rule on transmitter.
Type: integer
Counter for SYN packet dropped because of invalid format.
Type: integer
Counter for SYN packet dropped because of invalid token.
Type: integer
Counter for SYN packet dropped because of no claims.
Type: integer
Counter for TCP authentication option not found.
Type: integer
Counter for SYN packet dropped due to policy.
Type: integer
Counter for received SYN packet from unknown processing unit.
Type: integer
Counter for TCP authentication option not found.
Type: integer
Counter for UDP ACK packet dropped due to an invalid signature.
Type: integer
Counter for number of processed UDP connections.
Type: integer
Counter for dropped UDP data packets with no context.
Type: integer
Counter for dropped UDP FIN handshake packets.
Type: integer
Counter for dropped UDP in NfQueue.
Type: integer
Counter for dropped UDP data packets with no connection.
Type: integer
Counter for dropped UDP data packets.
Type: integer
Counter for dropped UDP queue full.
Type: integer
Counter for dropped UDP SYN ACK handshake packets.
Type: integer
Counter for UDP packets received in invalid network state.
Type: integer
Counter for UDP packets failing postprocessing.
Type: integer
Counter for UDP packets failing preprocessing.
Type: integer
Counter for UDP packets dropped due to policy.
Type: integer
Counter for UDP SYN ACK packets dropped due to bad claims.
Type: integer
Counter for UDP SYN ACK packets dropped due to missing claims.
Type: integer
Counter for UDP SYN ACK packets dropped due to bad claims.
Type: integer
Counter for dropped UDP SYN transmits.
Type: integer
Counter for dropped UDP SYN policy.
Type: integer
Counter for dropped UDP FIN handshake packets.
Type: integer
Counter for UDP SYN packet dropped due to missing claims.
Type: integer
Counter for unknown error.
Type: integer
Non-zero counter indicates analyzed connections for unencrypted, encrypted, and packets from endpoint applications with the TCP Fast Open option set. These are not dropped counter.
Type: integer
Non-zero counter indicates dropped connections because of invalid state, non-processing unit traffic, or out of order packets.
Type: integer
Non-zero counter indicates expired connections because of response not being received within a certain amount of time after the request is made.
Type: integer
Non-zero counter indicates dropped packets that did not hit any of our iptables rules and queue drops.
Type: integer
Non-zero counter indicates encryption processing failures of data packets.
Type: string
Identifier of the enforcer sending the report.
Type: string
Namespace of the enforcer sending the report. This field is deprecated. Use the 'namespace' field instead. field instead.
Type: integer
Non-zero counter indicates connections going to and from external networks. These may be drops or allowed counters.
Type: string
Namespace of the enforcer sending the report.
Type: integer
Non-zero counter indicates packets dropped due to a reject policy.
Type: string
PUID is the ID of the processing unit reporting the counter.
Type: string
Namespace of the processing unit reporting the counter.
Type: time
Timestamp is the date of the report.
Type: integer
Non-zero counter indicates packets rejected due to anything related to token creation/parsing failures.

Enforcer

Contains all parameters associated with a registered enforcer. The object is mainly maintained by the enforcers themselves. Users can read the object in order to understand the current status of the enforcers.

Example

{ "FQDN": "server1.domain.com", "certificateRequest": "-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----", "collectInfo": false, "detectedHostModeContainers": false, "enforcementStatus": "Inactive", "lastCollectionID": "xxx-xxx-xxx-xxx -", "logLevel": "Info", "logLevelDuration": "10s", "machineID": "3F23E8DF-C56D-45CF-89B8-A867F3956409", "migrationStatus": "None", "name": "the name", "operationalStatus": "Registered", "protected": false }

Relations

Retrieves the list of enforcers.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new enforcer.
Deletes the enforcer with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the enforcer with the given ID.
Updates the enforcer with the given ID.
Returns the list of enforcers that are affected by this mapping.
Returns the list of enforcers affected by an enforcer profile mapping.
Returns the list of enforcers that are affected by this mapping.
Returns a list of the audit profiles that must be applied to this enforcer.
Retrieves the list of debug bundles.
Uploads a debug bundle.
Returns the enforcer profile that must be used by a enforcer.
Sends a enforcer refresh command.
Returns a list of the host services policies that apply to this enforcer.
Parameters:
  • appliedServices (boolean): Valid when retrieved for a given enforcer and returns the applied services.
  • setServices (boolean): Instructs Microsegmentation Console to cache the services that were resolved.
Sends a poke empty object. This is used to ensure a enforcer is up and running.
Parameters:
Returns the list of certificate authorities that should be trusted by this enforcer.
Parameters:

Attributes

Type: string
Contains the fully qualified domain name (FQDN) of the server where the enforcer is running.
Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
The certificate of the enforcer.
Type: string
If not empty during a create or update operation, the provided certificate signing request (CSR) will be validated and signed by the Microsegmentation Console, providing a renewed certificate.
Type: boolean
Indicates to the enforcer whether or not it needs to collect information.
Represents the latest information collected by the enforcer.
Type: string
The Microsegmentation Console identifier managing this object. This property is mostly useful when federating multiple Microsegmentation Consoles.
Type: time
Creation date of the object.
Type: string
The version number of the installed enforcer binary.
Type: string
Description of the object.
Type: boolean
This field indicates whether the enforcer has detected host mode containers.
Status of the enforcement for host services.
Default value:
"Inactive"
Type: string
Identifies the last collection.
Type: time
Identifies when the information was collected.
Type: time
Last migration date of the enforcer.
Type: time
The time and date of the last heartbeat.
Type: string
Contains the initial chain of trust for the enforcer. This value is only given when you retrieve a single enforcer.
Log level of the enforcer.
Default value:
"Info"
Type: string
Determines the duration of which the log level will be active, using Golang duration syntax.
Default value:
"10s"
Type: string
A unique identifier for every machine as detected by the enforcer. It is based on hardware information such as the SMBIOS UUID, MAC addresses of interfaces, or cloud provider IDs.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Defines the migration status.
Default value:
"None"
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: string
Defines the next version the enforcer will be migrated to.
Type: []string
Contains the list of normalized tags of the entities.
The status of the enforcer.
Default value:
"Registered"
Type: boolean
Defines if the object is protected.
Type: string
The public token of the server that will be included in the datapath and is signed by the private certificate authority.
Type: time
The time and date on which this enforcer was started. The enforcer reports this and the value is preserved across disconnects.
Type: []string
Local subnets of this enforcer.
Type: boolean
The Microsegmentation Console sets this value to true if it hasn’t heard from the enforcer in the last five minutes.
Type: time
Last update date of the object.

EnforcerLog

An enforcer log represents the log collected by an enforcer. Each enforcer log can have partial or complete data. The collectionID is used to aggregate the multipart data into one.

Example

{ "collectionID": "xxx-xxx-xxx-xxx", "enforcerID": "xxx-xxx-xxx-xxx", "protected": false }

Relations

Retrieves the list of enforcerlogs.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new enforcerlog.
Retrieves the enforcerlog with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
Contains the ID of the enforcer log. CollectionID is used to aggregate the multipart data.
Type: time
Creation date of the object.
Type: string
Represents the data collected by the enforcer.
Type: string
ID of the enforcer.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: integer
Number assigned to each log in the increasing order.
Type: boolean
Defines if the object is protected.
Type: string
Title of the log.
Type: time
Last update date of the object.

EnforcerReport

Post a new enforcer statistics report.

Example

{ "CPULoad": 10, "enforcerID": "xxx-xxx-xxx-xxx", "licenseType": "Host", "memory": 10000, "name": "aporeto-enforcerd-xxx", "namespace": "/my/ns", "processes": 10, "timestamp": "2018-06-14T23:10:46.420397985Z" }

Relations

Create an enforcer statistics report.

Attributes

Type: float
Total CPU utilization of the enforcer as a percentage of vCPUs.
Type: string
Identifier of the object.
Type: string
ID of the enforcer.
Type of license for this enforcer.
Default value:
"Host"
Type: integer
Total resident memory used by the enforcer in bytes.
Type: string
Name of the enforcer.
Type: string
Namespace of the enforcer.
Type: integer
Number of active processes of the enforcer.
Type: time
Date of the report.

EnforcerTraceReport

Post a new enforcer trace that determines how packets are.

Example

{ "enforcerID": "5c6cce207ddf1fc159a104bf", "enforcerNamespace": "/acme/prod", "namespace": "/acme/prod/database", "puID": "5c6ccd947ddf1fc159a104b7" }

Relations

Create an enforcer trace report.

Attributes

Type: string
ID of the enforcer where the trace was collected.
Type: string
Namespace of the enforcer where the trace was collected.
Type: string
Namespace of the processing unit where the trace was collected.
Type: string
ID of the processing unit where the trace was collected.

PacketReport

Post a new packet tracing report.

Example

{ "destinationPort": 11000, "encrypt": false, "enforcerID": "xxxx-xxx-xxxx", "enforcerNamespace": "/my/namespace", "event": "Rcv", "mark": 123123, "namespace": "/my/namespace", "packetID": 12333, "protocol": 6, "puID": "xxx-xxx-xxx", "rawPacket": "abcd", "sourcePort": 80, "timestamp": "2018-06-14T23:10:46.420397985Z", "triremePacket": true }

Relations

Create a packet trace report.

Attributes

Type: string
Identifier of the object.
Type: integer
Flags are the TCP flags of the packet.
Type: []string
Claims is the list of claims detected for the packet.
Type: string
The destination IP address of the packet.
Type: integer
The destination port of a TCP or UDP packet.
Type: string
If event is set to Dropped, contains the reason that the packet was dropped. Otherwise empty.
Type: boolean
Set to true if the packet was encrypted.
Type: string
Identifier of the enforcer sending the report.
Type: string
Namespace of the enforcer sending the report.
The event that triggered the report.
Type: integer
Mark is the mark value of the packet.
Type: string
Namespace of the processing unit reporting the packet.
Type: integer
The ID of the IP header of the reported packet.
Type: integer
Protocol number.
Type: string
The ID of the processing unit reporting the packet.
Type: string
The first 64 bytes of the packet.
Default value:
"abcd"
Type: string
The source IP address of the packet.
Type: integer
The source port of the packet.
Type: time
The time-date stamp of the report.
Type: boolean
Set to true if the packet arrived with the Trireme options (default).
Default value:
true

PingPair

Represents a pair of ping probes.

Attributes

Type: pingprobe
Contains the request probe information.
Type: pingprobe
Contains the response probe information.

PingProbe

Represents the result of a unique ping probe. They are aggregated into a PingResult.

Example

{ "applicationListening": false, "claimsType": [ "Transmitted" ], "enforcerID": "xxx-xxx-xxx-xxx", "enforcerNamespace": "/my/ns", "excludedNetworks": false, "isServer": false, "payloadSizeType": [ "Transmitted" ], "pingID": "xxx-xxx-xxx-xxx", "remoteEndpointType": [ "External" ], "remoteNamespaceType": [ "Plain" ], "targetTCPNetworks": false, "type": [ "Request" ] }

Relations

Retrieves a ping result.

Attributes

Type: string
Action of the ACL policy.
Type: string
ID of the ACL policy.
Type: string
Identifier of the object.
Type: string
Time taken for a single request-response to complete.
Type: boolean
If true, application responded to the request.
Type: []string
Claims of the processing unit.
Type of claims reported.
Type: time
Creation date of the object.
Type: string
ID of the enforcer.
Type: string
Namespace of the enforcer.
Type: string
Semantic version of the enforcer.
Type: string
A non-empty error indicates a failure.
Type: boolean
If true, destination IP is in excludedNetworks.
Type: string
Four tuple in the format <sip:dip:spt:dpt>.
Type: boolean
If true, the report was generated by the server.
Type: integer
Holds the iteration number this probe is attached to.
Type: string
Namespace tag attached to an entity.
Type: integer
Size of the payload attached to the packet.
Type of the payload size.
Type: string
Represents the expiry of the peer certificate.
Type: string
Represents the issuer of the peer certificate.
Type: string
Represents the subject of the peer certificate.
Type: string
PingID unique to a single ping control.
Type: string
Action of the policy.
Type: string
ID of the policy.
Type: string
ID of the policy.
Type: string
ID of the reporting processing unit.
Type: integer
Protocol used for the communication.
Type: string
Controller of the remote endpoint.
Represents the remote endpoint type.
Type: string
Namespace of the remote processing unit.
Type of the namespace reported.
Type: string
ID of the remote processing unit.
Type: integer
Sequence number of the TCP packet. number.
Type: string
ID of the service If the service type is a proxy.
Type: string
Type of the service.
Type: boolean
If true, destination IP is in targetTCPNetworks.
Type: