Policy resources

policy/access

AccessReport

Represents any access made by the user.

Example

{ "action": "Accept", "enforcerID": "xxx-xxx-xxx", "enforcerNamespace": "/my/namespace", "processingUnitID": "xxx-xxx-xxx-xxx", "processingUnitName": "pu1", "processingUnitNamespace": "/my/ns", "type": "SSHLogin" }

Relations

Create an access report.

Attributes

Type: string
Identifier of the object.
Action applied to the access.
Type: string
Hash of the claims used to communicate.
Type: string
Identifier of the enforcer.
Type: string
Namespace of the enforcer.
Type: string
ID of the processing unit of the report.
Type: string
Name of the processing unit of the report.
Type: string
Namespace of the processing unit of the report.
Type: string
This field is only set if action is set to Reject. It specifies the reason for the rejection.
Type: time
Date of the report.

UserAccessPolicy

The enforcer policy that controls user access.

Example

{ "disabled": false, "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of user access policies.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new enforcer policy.
Deletes the policy with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the policy with the given ID.
Parameters:
Updates the policy with the given ID.

Attributes

Type: string
Identifier of the object.
Type: string
Defines for how long the policy will be active according to the activeSchedule.
Type: string
Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
Type: []string
Indicates the list of user who can use sudo commands.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: time
If set the policy will be automatically deleted after the given time.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Contains the tag expression matching the enforcers the subject is allowed to connect to.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
Contains the tag expression the tags need to match for the policy to apply.
Type: time
Last update date of the object.

policy/audit

AuditProfile

A set of audit rules that determine the types of events that must be captured in the kernel.

Example

{ "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of audit profiles.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new audit profile.
Deletes the profile with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.
Parameters:
Updates the profile with the given ID.
Returns the list of audit profiles that are referred to by this mapping.
Returns a list of the audit profiles that must be applied to this enforcer.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
List of audit rules associated with this profile.
Type: time
Last update date of the object.

AuditProfileMappingPolicy

Use an audit profile mapping to define the set of enforcers that must implement a specific audit profile.

Example

{ "disabled": false, "fallback": false, "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of audit profile mapping policies.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new audit profile mapping policy.
Deletes the mapping with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the mapping with the given ID.
Parameters:
Updates the mapping with the given ID.
Returns the list of audit profiles that are referred to by this mapping.
Returns the list of enforcers that are affected by this mapping.

Attributes

Type: string
Identifier of the object.
Type: string
Defines for how long the policy will be active according to the activeSchedule.
Type: string
Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: boolean
Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
The tag or tag expression that identifies the audit profile to be mapped.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
The tag or tag expression that identifies the enforcer(s) to implement the audit profile.
Type: time
Last update date of the object.

AuditReport

Post a new audit report.

Example

{ "AUID": "xxx-xxx", "CWD": "/etc", "EXE": "/bin/ls", "a0": "xxx-xxx", "a1": "xxx-xxx", "a2": "xxx-xxx", "a3": "xxx-xxx", "arch": "x86_64", "auditProfileID": "xxx-xxx-xxx-xxx", "auditProfileNamespace": "/my/ns", "command": "ls", "enforcerID": "xxx-xxx-xxx-xxx", "enforcerNamespace": "/my/ns", "processingUnitID": "xxx-xxx-xxx-xxx", "processingUnitNamespace": "/my/ns", "recordType": "Syscall", "success": false, "syscall": "execve", "timestamp": "2018-06-14T23:10:46.420397985Z" }

Relations

Create a audit statistics report.

Attributes

Type: string
The login ID of the user who started the audited process.
Type: string
Command working directory.
Type: integer
Effective group ID of the user who started the audited process.
Type: integer
Effective user ID of the user who started the audited process.
Type: string
Path to the executable.
Type: integer
File system group ID of the user who started the audited process.
Type: integer
File system user ID of the user who started the audited process.
Type: string
Full path of the file that was passed to the system call.
Type: integer
Group ID of the user who started the analyzed process.
Type: string
Identifier of the object.
Type: integer
File or directory permissions.
Type: integer
Process ID of the executable.
Type: integer
Process ID of the parent executable.
Type: integer
Set group ID of the user who started the audited process.
Type: integer
Set user ID of the user who started the audited process.
Type: integer
User ID.
Type: string
First argument of the executed system call.
Type: string
Second argument of the executed system call.
Type: string
Third argument of the executed system call.
Type: string
Fourth argument of the executed system call.
Type: string
Architecture of the system of the monitored process.
Type: []string
Arguments passed to the command.
Type: string
ID of the audit profile that triggered the report.
Type: string
Namespace of the audit profile that triggered the report.
Type: string
Command issued.
Type: string
ID of the enforcer reporting.
Type: string
Namespace of the enforcer reporting.
Type: integer
Exit code of the executed system call.
Type: string
ID of the processing unit originating the report.
Type: string
Namespace of the processing unit originating the report.
Type: string
Type of audit record.
Type: integer
Needs documentation.
Type: boolean
Tells if the operation has been a success or a failure.
Type: string
System call executed.
Type: time
Date of the report.

policy/authorization

APIAuthorizationPolicy

An API authorization defines the operations a user can perform in a namespace: GET, POST, PUT, DELETE, PATCH, and/or HEAD. It is also possible to restrict the user to a subset of the APIs in the namespace by setting authorizedIdentities. An API authorization always propagates down to all the children of the current namespace.

Example

{ "authorizedIdentities": [ "@auth:role=namespace.administrator" ], "authorizedNamespace": "/namespace", "disabled": false, "fallback": false, "name": "the name", "propagationHidden": false, "protected": false }

Relations

Retrieves the list of API authorizations.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new API authorization.
Deletes the authorization with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the authorization with the given ID.
Updates the authorization with the given ID.

Attributes

Type: string
Identifier of the object.
Type: string
Defines for how long the policy will be active according to the activeSchedule.
Type: string
Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: []string
A list of roles assigned to the user.
Type: string
Defines the namespace the user is authorized to access.
Type: []string
If set, the API authorization will only be valid if the request comes from one the declared subnets.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: time
If set, the policy will be automatically deleted after the given time.
Type: boolean
Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.
Type: boolean
Defines if the object is protected.
A tag or tag expression that identifies the authorized user(s).
Type: time
Last update date of the object.

APICheck

Allows you to verify if a client identified by his token is allowed to do some operations on some APIs.

Example

{ "namespace": "/namespace", "operation": "Create", "targetIdentities": [ "processingunit", "enforcer" ] }

Relations

Verifies the authorizations on various identities for a given token.

Attributes

Contains the results of the check.
Type: string
The namespace to use to check the API authorization.
Type: []string
Contains the list of identities you want to check the authorization of.

AppCredential

Create an app credential.

Example

{ "CSR": "-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----", "disabled": false, "name": "the name", "protected": false, "roles": [ "@auth:role=enforcer", "@auth:role=kubesquall" ] }

Relations

Retrieves the list of app credentials.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new app credential.
Deletes the app credential with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the app credential with the given ID.
Updates the app credential with the given ID.

Attributes

Type: string
Contains a PEM-encoded certificate signing request (CSR). It can only be set during a renew.
If you send anything else, the signing request will be rejected.
Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: []string
If set, the app credential will only be valid if the request comes from one the declared subnets.
Type: string
The string representation of the certificate used by the app credential.
Type: time
Creation date of the object.
The app credential data.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: string
The email address that will receive a copy of the app credential.
Type: string
If set, this will limit the maximum validity of the token issued from this app credential. This information will be embedded into the delivered certificate and cannot be changed once set. In order to change it, you need to renew the certificate.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: []string
Contains the ID of the parent app credential if this is a derived app credential.
Type: boolean
Defines if the object is protected.
Type: []string
List of roles to give the app credential.
Type: time
Last update date of the object.

Credential

Represents an app credential.

Attributes

Type: string
The URL of the Microsegmentation Console API.
Type: string
The ID of the app credential.
Type: string
The base64-encoded certificate.
Type: string
The base64-encoded certificate authority.
Type: string
The base64-encoded certificate key.
Type: string
The name of the app credential.
Type: string
The namespace of the app credential.

Role

Returns the available roles that can be used with API authorizations.

Relations

Retrieves the list of existing roles.

Attributes

Authorizations of the role.
Type: string
Description of the role.
Type: string
Key of the role.
Type: string
Name of the role.
Type: boolean
Set to true to make the role private and hidden from the UI.

policy/dns

DNSLookupReport

A DNS lookup report is used to report a DNS lookup that is happening on behalf of a processing unit. If the DNS server is on the standard UDP port 53 then the enforcer can proxy the DNS traffic and make a report. The report indicate whether or not the lookup was successful.

Example

{ "action": "Accept", "enforcerNamespace": "/my/namespace", "processingUnitID": "xxx-xxx-xxx", "processingUnitNamespace": "/my/namespace", "resolvedName": "www.google.com", "sourceIP": "10.0.0.1", "value": 1 }

Relations

Create a DNS Lookup report.

Attributes

Type: string
Identifier of the object.
Action of the DNS request.
Type: string
ID of the enforcer.
Type: string
Namespace of the enforcer.
Type: string
Namespace tag attached to an entity.
Type: string
ID of the PU.
Type: string
Namespace of the PU. This is deprecated. Use namespace instead.
Type: string
This field is only set when the lookup fails. It specifies the reason for the failure.
Type: string
name used for DNS resolution.
Type: string
Type of the source.
Type: time
Time and date of the log.
Type: integer
Number of times the client saw this activity.

policy/enforcerconfig

EnforcerProfile

Allows you to create reusable configuration profiles for your enforcers. Enforcer profiles contain various startup information that can (for some) be updated live. Enforcer profiles are assigned to enforcers using a enforcer profile mapping.

Example

{ "kubernetesMetadataExtractor": "PodAtomic", "kubernetesSupportEnabled": false, "metadataExtractor": "Docker", "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of enforcer profiles.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new enforcer profile.
Deletes the enforcer profile with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the enforcer profile with the given ID.
Parameters:
Updates the enforcer profile with the given ID.
Returns the list of enforcer profiles that an enforcer profile mapping matches.
Returns the enforcer profile that must be used by a enforcer.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: []string
Ignore traffic with a source or destination matching the specified interfaces.
Type: []string
Ignore any networks specified here and do not even report any flows. This can be useful for excluding localhost loopback traffic, ignoring traffic to the Kubernetes API, and using Microsegmentation for SSH only.
A tag expression that identifies processing units to ignore. This can be useful to exclude kube-system pods, AWS EC2 agent pods, and third-party agents.
This field is kept for backward compatibility for enforcers <= 3.5.
Default value:
"PodAtomic"
Type: boolean
This field is kept for backward compatibility for enforcers <= 3.5.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
This field is kept for backward compatibility for enforcers <= 3.5.
Default value:
"Docker"
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
Type: []string
If empty, the enforcer auto-discovers the TCP networks. Auto-discovery works best in Kubernetes and OpenShift deployments. You may need to manually specify the TCP networks if middle boxes exist that do not comply with TCP Fast Open RFC 7413.
Type: []string
If empty, the enforcer enforces all UDP networks. This works best when all UDP networks have enforcers. If some UDP networks do not have enforcers, you may need to manually specify the UDP networks that should be enforced.
Type: []string
List of trusted certificate authorities. If empty, the main chain of trust will be used.
Type: time
Last update date of the object.

EnforcerProfileMappingPolicy

Allows you to map an enforcer profile to one or more enforcers. The mapping can also be propagated down to the child namespace.

Example

{ "disabled": false, "fallback": false, "name": "the name", "object": [ [ "a=a", "b=b" ], [ "c=c" ] ], "propagate": false, "protected": false, "subject": [ [ "a=a", "b=b" ], [ "c=c" ] ] }

Relations

Retrieves the list of enforcer profile mappings.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new enforcer profile mappings.
Deletes the mapping with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the mapping with the given ID.
Updates the mapping with the given ID.
Returns the list of enforcer profiles that an enforcer profile mapping matches.
Returns the list of enforcers affected by an enforcer profile mapping.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: boolean
Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
The tag or tag expression that identifies the enforcer profile to be mapped.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
The tag or tag expression that identifies the enforcers that should implement the mapped profile.
Type: time
Last update date of the object.

TrustedCA

Represents a trusted certificate authority (CA).

Relations

Retrieves the trusted CAs of a namespace.
Parameters:
Returns the list of certificate authorities that should be trusted by this enforcer.
Parameters:
Returns the list of trusted CAs for this namespace.
Parameters:

Attributes

Type: string
The private certificate of the corresponding type associated with this namespace.
Type: string
The controller that this certificate or CA was issued from.
Type: string
The namespace that this certificate or CA was defined at.
Type: string
The ID of namespace that this certificate or CA was defined at.
Type: string
SerialNumber is the serial number of the certificate.
Type of the certificate.

TrustedNamespace

This object allows you to declare trust between namespaces that are cryptographically isolated. The namespaces can be local or served by different Microsegmentation Console controllers.

Example

{ "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBbjCCARSgAwIBAgIRANRbvVzTzBZOvMCb8BiKCLowCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNTE4 NDgwN1oXDTI3MTEyNDE4NDgwN1owJjENMAsGA1UEChMEQWNtZTEVMBMGA1UEAxMM QWNtZSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ/80HR51+vau 7XH7zS7b8ABA0e/TdBOg1NznbnXdXil1tDvWloWuH5+/bbaiEg54wksJHFXaukw8 jhTLU7zT56MjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI KoZIzj0EAwIDSAAwRQIhALwAZh2KLFFC1qfb5CqFHExlXS0PUltax9PvQCN9P0vl AiBl7/st9u/JpERjJgirxJxOgKNlV6pq9ti75EfQtZZcQA== -----END CERTIFICATE-----", "name": "the name", "protected": false }

Relations

Retrieves the list of trusted namespaces.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new trusted namespace.
Delete the trusted namespace with the given ID.
Retrieve the trusted namespace with the given ID.
Update the trusted namespace with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
Contains the PEM block of the certificate authority trusted namespace.
Type: time
Creation date of the object.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the object to all of its children.
Default value:
true
Type: boolean
Defines if the object is protected.
Type: string
The controller declared in the certificate authority.
Type: string
The namespace declared in the certificate authority.
Type: string
The serial number of the CA.
Type: time
Last update date of the object.

policy/files

FileAccessPolicy

A file access policy allows processing units to access various folder and files. It will use the tags of a file path to know what is the path of the file or folder to allow access to. You can allow the processing unit to have any combination of read, write, or execute.
When a processing unit is a Docker container, then it will police the volumes. Mount and execute won’t have any effect.
File paths are not supported yet for standard Linux processes.

Example

{ "allowsExecute": false, "allowsRead": false, "allowsWrite": false, "disabled": false, "encryptionEnabled": false, "fallback": false, "logsEnabled": false, "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of file access policies.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new file access policies.
Deletes the policy with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the policy with the given ID.
Updates the policy with the given ID.
Returns the list of file paths that match the policy.
Returns the list of processing units that match the policy.

Attributes

Type: string
Identifier of the object.
Type: string
Defines for how long the policy will be active according to the activeSchedule.
Type: string
Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
Type: boolean
Allows files to be executed.
Type: boolean
Allows files to be read.
Type: boolean
Allows files to be written.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: boolean
Set to true to enable automatic encryption.
Type: time
If set the policy will be automatically deleted after the given time.
Type: boolean
Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
Type: boolean
A value of true enables logging.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
The object of the policy.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
The subject of the policy.
Type: time
Last update date of the object.

FileAccessReport

Post a new file access report.

Example

{ "action": "Accepted", "host": "localhost", "mode": "rxw", "path": "/etc/passwd", "processingUnitID": "xxx-xxx-xxx-xxx", "processingUnitNamespace": "/my/ns", "timestamp": "2018-06-14T23:10:46.420397985Z" }

Relations

Create a file access statistics report.

Attributes

Type: string
Identifier of the object.
Type: string
Host storing the file.
Default value:
"localhost"
Type: string
Mode of file access.
Default value:
"rxw"
Type: string
Path of the file.
Default value:
"/etc/passwd"
Type: string
ID of the processing unit.
Type: string
Namespace of the processing unit.
Type: time
Date of the report.

FilePath

A file path represents a random path to a file or a folder. They can be used in file access policies to allow processing units to access them, using various modes (read, write, execute). You will need to use the file paths tags to set some policies. A good example would be volume=web or file=/etc/passwd.

Example

{ "filepath": "/etc/passwd", "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of file paths.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
Create a new file path.
Deletes the object with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.
Parameters:
Updates the object with the given ID.
Returns the list of file paths that match the policy.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: string
FilePath refer to the file mount path.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
Type: string
server is the server name/ID/IP associated with the file path.
Type: time
Last update date of the object.

policy/hooks

HookPolicy

Allows you to define hooks to the write operations in squall. Hooks are sent to an external Rufus server that will do the processing and eventually return a modified version of the object before we save it.

Example

{ "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBbjCCARSgAwIBAgIRANRbvVzTzBZOvMCb8BiKCLowCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNTE4 NDgwN1oXDTI3MTEyNDE4NDgwN1owJjENMAsGA1UEChMEQWNtZTEVMBMGA1UEAxMM QWNtZSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ/80HR51+vau 7XH7zS7b8ABA0e/TdBOg1NznbnXdXil1tDvWloWuH5+/bbaiEg54wksJHFXaukw8 jhTLU7zT56MjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI KoZIzj0EAwIDSAAwRQIhALwAZh2KLFFC1qfb5CqFHExlXS0PUltax9PvQCN9P0vl AiBl7/st9u/JpERjJgirxJxOgKNlV6pq9ti75EfQtZZcQA== -----END CERTIFICATE-----", "clientCertificate": "-----BEGIN CERTIFICATE----- MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2 NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6 peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8 -----END CERTIFICATE-----", "clientCertificateKey": "-----BEGIN EC PRIVATE KEY----- MHcCAQEEIGOXJI/123456789oamOu4tQAIKFdbyvkIJg9GME0mHzoAoGCCqGSM49 AwEHoUQDQgAE6bM8mP123456789AfmBWtnucfByQXk568lDcKNIQx6yNn+7txbwg F9eXFkofGX3UgRtsHe123456789xQ1naSw== -----END EC PRIVATE KEY-----", "continueOnError": false, "disabled": false, "endpoint": "https://hooks.hookserver.com/remoteprocessors", "endpointType": "URL", "fallback": false, "mode": "Pre", "name": "the name", "propagate": false, "propagationHidden": false, "protected": false, "selectors": [ [ "automation:name=myautomation" ] ], "subject": [ [ "$identity=processingunit" ] ] }

Relations

Retrieves the list of hooks.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new hook.
Deletes the hook with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the hook with the given ID.
Updates the hook with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: string
Contains the PEM block of the certificate authority used by the remote endpoint.
Type: string
Contains the client certificate that will be used to connect to the remote endpoint. If provided, the private key associated with this certificate must also be configured.
Type: string
Contains the key associated with the clientCertificate. It must be provided only when clientCertificate has been configured.
Type: boolean
If set to true and mode is in Pre, the request will be honored even if calling the hook fails.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: string
Contains the full address of the remote processor endpoint.
Defines the type of endpoint for the hook.
Default value:
"URL"
Type: time
If set the hook will be automatically deleted after the given time.
Type: boolean
Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Defines the type of hook.
Default value:
"Pre"
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.
Type: boolean
Defines if the object is protected.
A tag or tag expression that identifies the automation that must be run in case no endpoint is provided.
Contains the tag expression that an object must match in order to trigger the hook.
Type: []string
Select on which operation(s) you want to the hook to trigger. An empty list. Only means all operations. You can only set any combination of create, update or delete. Any other value will trigger a validation error.
Type: time
Last update date of the object.

RemoteProcessor

Hook to integrate a Microsegmentation service.

Example

{ "claims": [ "@auth:realm=certificate", "@auth:commonname=john" ], "input": "{ \"name\": \"hello\", \"description\": \"hello\", }", "mode": "Pre", "namespace": "/my/namespace", "operation": "create", "targetIdentity": "processingunit" }

Relations

This should be be here.

Attributes

Type: []string
Represents the claims of the currently managed object.
Represents data received from the service.
Defines the hook’s type.
Type: string
Represents the current namespace.
Defines the operation that is currently handled by the service.
Returns OutputData filled with the processor information.
Type: string
Gives the ID of the request coming from the main server.
Type: string
Represents the identity name of the managed object.

policy/hosts

HostService

Represents services that a host must expose and protect.

Example

{ "hostModeEnabled": false, "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of host services.
Parameters:
Creates a new host service.
Deletes the host service with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the host service with the given ID.
Parameters:
Updates the host service with the given ID.
Returns a list of the host services policies that apply to this enforcer.
Parameters:
  • appliedServices (boolean): Valid when retrieved for a given enforcer and returns the applied services.
  • setServices (boolean): Instructs Microsegmentation Console to cache the services that were resolved.
Returns the list of host services that are referenced by this mapping.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Forces the corresponding enforcers to enable host protection. When true, all incoming and outgoing flows will be monitored. Flows will be allowed if and only if a network policy has been created to allow the flow. The option applies to all enforcers to which the host service is mapped.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
Type: []string
Lists all protocols and ports a service is running. A service entry can be defined by a protocol and port (tcp/80), or range of protocol/port pairs (udp/80:100). If no protocol is provided, it is assumed to be TCP. Only tcp and udp protocols are allowed.
Type: time
Last update date of the object.

HostServiceMappingPolicy

Host service mapping allows you to map host services to the enforcers that should implement them. You must map host services to one or more enforcers for the host services to have any effect.

Example

{ "disabled": false, "fallback": false, "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of host service mappings.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new host service mapping.
Deletes the mapping with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the mapping with the given ID.
Parameters:
Updates the mapping with the given ID.
Returns the list of enforcers that are affected by this mapping.
Returns the list of host services that are referenced by this mapping.

Attributes

Type: string
Identifier of the object.
Type: string
Defines for how long the policy will be active according to the activeSchedule.
Type: string
Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: boolean
Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
A tag or tag expression identifying the host service(s) to be mapped.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
A tag or tag expression identifying the enforcer(s) that should implement the specified host service(s).
Type: time
Last update date of the object.

policy/networking

CachedFlowReport

Post a new cached flow report.

Example

{ "action": "Accept", "destinationController": "api.east.acme.com", "destinationID": "xxx-xxx-xxx", "destinationNamespace": "/my/namespace", "destinationPlatform": "api.east.acme.com", "destinationType": "ProcessingUnit", "encrypted": false, "enforcerID": "5c6cce207ddf1fc159a104bf", "isLocalDestinationID": false, "isLocalSourceID": false, "namespace": "/my/namespace", "observed": false, "observedAction": "NotApplicable", "observedEncrypted": false, "observedPolicyID": "xxx-xxx-xxx", "observedPolicyNamespace": "/my/namespace", "policyID": "xxx-xxx-xxx", "policyNamespace": "/my/namespace", "protocol": 6, "serviceType": "NotApplicable", "sourceController": "api.west.acme.com", "sourceID": "xxx-xxx-xxx", "sourceNamespace": "/my/namespace", "sourcePlatform": "api.west.acme.com", "sourceType": "ProcessingUnit", "value": 1 }

Relations

Create a cached flow statistics report.

Attributes

Type: string
Identifier of the object.
Action applied to the flow.
Type: string
Identifier of the destination controller.
Type: string
ID of the destination.
Type: string
Destination IP address.
Type: string
Namespace of the destination. This is deprecated. Use remoteNamespace. This property does nothing.
Type: string
Identifier of the destination platform.
Type: integer
Port of the destination.
Type: string
This field is only set if action is set to Reject. It specifies the reason for the rejection.
Type: boolean
If true, the flow was encrypted.
Type: string
ID of the enforcer where the report was collected.
Type: boolean
Indicates if the destination endpoint is an enforcer-local processing unit.
Type: boolean
Indicates if the source endpoint is an enforcer-local processing unit.
Type: string
This is here for backward compatibility.
Type: boolean
If true, design mode is on.
Action observed on the flow.
Default value:
"NotApplicable"
Type: string
Specifies the reason for a rejection. Only set if observedAction is set to Reject.
Type: boolean
Value of the encryption of the network policy that observed the flow.
Type: string
ID of the network policy that observed the flow.
Type: string
Namespace of the network policy that observed the flow.
Type: string
ID of the network policy that accepted the flow.
Type: string
Namespace of the network policy that accepted the flow.
Type: integer
Protocol number.
Type: string
Namespace of the object at the other end of the flow.
Type: string
Contains the eventual name assigned to the particular rule in the NetworkRuleSetPolicy that acted on the flow.
Type: string
Hash of the claims used to communicate.
Type: string
ID of the service.
Type: string
Namespace of Service accessed.
ID of the service.
Default value:
"NotApplicable"
Type: string
Service URL accessed.
Type: string
Identifier of the source controller.
Type: string
ID of the source.
Type: string
Type of the source.
Type: string
Namespace of the source. This is deprecated. Use remoteNamespace. This property does nothing.
Type: string
Identifier of the source platform.
Type: time
Time and date of the log.
Type: integer
Number of flows in the log.

Claims

Represents the claims in the token used to access a service.

Example

{ "content": { "exp": 1553899021, "iat": 1553888221, "iss": "https://accounts.acme.com", "sub": "alice@acme.com" }, "hash": "1134423925458173049" }

Relations

Retrieves the list of claims.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new claims record.
Retrieves the object with the given ID.

Attributes

Type: string
Identifier of the object.
Contains the raw JSON web token (JWT) claims.
Type: string
XXH64 hash of the claims content. It will be used as ID. To compute a correct hash, you must first clob content as an string array in the form key=value, sort it then apply the XXH64 function.
Type: string
Namespace tag attached to an entity.

ConnectionExceptionReport

Post a new flow log.

Example

{ "destinationController": "api.west.acme.com", "destinationProcessingUnitID": "xxx-xxx-xxx", "enforcerID": "xxx-xxx-xxx", "enforcerNamespace": "/my/namespace", "namespace": "/my/namespace", "processingUnitID": "xxx-xxx-xxx", "processingUnitNamespace": "/my/namespace", "protocol": 6, "serviceType": "L3", "state": [ "Unknown" ], "value": 1 }

Relations

Create a connection exception report.

Attributes

Type: string
Identifier of the object.
Type: string
Identifier of the destination controller. This should be set in SynAckTransmitted state.
Type: string
Destination IP address.
Type: integer
Port of the destination.
Type: string
ID of the destination processing unit. This should be set in SynAckTransmitted state.
Type: string
ID of the enforcer.
Type: string
Namespace of the enforcer.
Type: string
Namespace of the processing unit that encountered this exception.
Type: string
ID of the processing unit encountered this exception.
Type: string
Namespace of the processing unit encountered this exception.
Type: integer
Protocol number.
Type: string
It specifies the reason for the exception.
Type of the service.
Default value:
"L3"
Type: string
Source IP address.
Represents the current state this report was generated.
Type: time
Time and date of the report.
Type: integer
Number of packets hit.

ExternalNetwork

An external network represents a random network or IP address that is not managed by Microsegmentation. External networks can be used in network policies to allow traffic from or to the declared network or IP, using the provided protocol and port (or range of ports). If you want to describe the internet (i.e., anywhere), use 0.0.0.0/0 as the address and 1-65000 for the ports. You must assign the external network one or more tags. These allow you to reference the external network from your network policies.

Example

{ "name": "the name", "propagate": false, "protected": false, "servicePorts": [ "tcp/80", "udp/80:100" ], "type": "Subnet" }

Relations

Retrieves the list of external networks.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new external network.
Deletes the object with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.
Parameters:
Updates the object with the given ID.
Returns the list of external networks affected by an infrastructure policy.
Parameters:
Returns the list of external networks affected by a network policy.
Parameters:
Returns the list of external networks affected by a network rule set policy.
Parameters:

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: []string
List of CIDRs or domain name.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
Type: []string
List of protocol/ports (tcp/80) or (udp/80:100).
The type of external network (default Subnet).
Default value:
"Subnet"
Type: time
Last update date of the object.

FlowReport

Post a new flow log.

Example

{ "action": "Accept", "destinationController": "api.east.acme.com", "destinationID": "xxx-xxx-xxx", "destinationNamespace": "/my/namespace", "destinationPlatform": "api.east.acme.com", "destinationType": "ProcessingUnit", "encrypted": false, "enforcerID": "5c6cce207ddf1fc159a104bf", "namespace": "/my/namespace", "observed": false, "observedAction": "NotApplicable", "observedEncrypted": false, "observedPolicyID": "xxx-xxx-xxx", "observedPolicyNamespace": "/my/namespace", "policyID": "xxx-xxx-xxx", "policyNamespace": "/my/namespace", "protocol": 6, "serviceType": "NotApplicable", "sourceController": "api.west.acme.com", "sourceID": "xxx-xxx-xxx", "sourceNamespace": "/my/namespace", "sourcePlatform": "api.west.acme.com", "sourceType": "ProcessingUnit", "value": 1 }

Relations

Create a flow statistics report.

Attributes

Type: string
Identifier of the object.
Action applied to the flow.
Type: string
Identifier of the destination controller.
Type: string
ID of the destination.
Type: string
Destination IP address.
Type: string
Namespace of the destination. This is deprecated. Use remoteNamespace. This property does nothing.
Type: string
Identifier of the destination platform.
Type: integer
Port of the destination.
Type: string
This field is only set if action is set to Reject. It specifies the reason for the rejection.
Type: boolean
If true, the flow was encrypted.
Type: string
ID of the enforcer where the report was collected.
Type: string
This is here for backward compatibility.
Type: boolean
If true, design mode is on.
Action observed on the flow.
Default value:
"NotApplicable"
Type: string
Specifies the reason for a rejection. Only set if observedAction is set to Reject.
Type: boolean
Value of the encryption of the network policy that observed the flow.
Type: string
ID of the network policy that observed the flow.
Type: string
Namespace of the network policy that observed the flow.
Type: string
ID of the network policy that accepted the flow.
Type: string
Namespace of the network policy that accepted the flow.
Type: integer
Protocol number.
Type: string
Namespace of the object at the other end of the flow.
Type: string
Contains the eventual name assigned to the particular rule in the NetworkRuleSetPolicy that acted on the flow.
Type: string
Hash of the claims used to communicate.
Type: string
ID of the service.
Type: string
Namespace of Service accessed.
ID of the service.
Default value:
"NotApplicable"
Type: string
Service URL accessed.
Type: string
Identifier of the source controller.
Type: string
ID of the source.
Type: string
Type of the source.
Type: string
Namespace of the source. This is deprecated. Use remoteNamespace. This property does nothing.
Type: string
Identifier of the source platform.
Type: time
Time and date of the log.
Type: integer
Number of flows in the log.

InfrastructurePolicy

Infrastructure policies represent the network access rules of the underlying infrastructure. They can assist you in analyzing how AWS security groups, firewalls, and other access control list (ACL) mechanisms may affect Microsegmentation network policies. Microsegmentation’s AWS integration app automatically populates AWS security groups.

Example

{ "action": "Allow", "applyPolicyMode": "OutgoingTraffic", "disabled": false, "name": "the name", "protected": false }

Relations

Retrieves the list of infrastructure policies.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Creates a new infrastructure policy.
Deletes the infrastructure policy with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the infrastructure policy with the given ID.
Updates the infrastructure policy with the given ID.
Returns the list of external networks affected by an infrastructure policy.
Parameters:
Returns the list of processing units affected by an infrastructure policy.
Parameters:
Returns the list of services affected by an infrastructure policy.
Parameters:

Attributes

Type: string
Identifier of the object.
Defines the action to apply to a flow.
Default value:
"Allow"
Type: string
Defines for how long the policy will be active according to the activeSchedule.
Type: string
Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
Stores additional information about an entity.
Determines if the policy applies to the outgoing traffic of the subject or the incoming traffic of the subject. OutgoingTraffic (default) or IncomingTraffic.
Default value:
"OutgoingTraffic"
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: time
If set the policy will be automatically deleted after the given time.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Object of the policy.
Type: boolean
Defines if the object is protected.
Subject of the policy.
Type: time
Last update date of the object.

NetworkAccessPolicy

Allows you to define network policies to allow or prevent processing units identified by their tags to talk to other processing units or external networks (also identified by their tags).

Example

{ "action": "Allow", "applyPolicyMode": "Bidirectional", "disabled": false, "encryptionEnabled": false, "fallback": false, "logsEnabled": false, "name": "the name", "negateObject": false, "negateSubject": false, "observationEnabled": false, "observedTrafficAction": "Continue", "propagate": false, "protected": false }

Relations

Retrieves the list of network policies.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new network policy. This is deprecated. in favor of NetworkRuleSetPolicy.
Deletes the policy with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the policy with the given ID.
Parameters:
Updates the policy with the given ID.
Returns the list of external networks affected by a network policy.
Parameters:
Returns the list of processing units affected by a network policy.
Parameters:
Returns the list of services affected by a network policy.
Parameters:

Attributes

Type: string
Identifier of the object.
Defines the action to apply to a flow.
  • Allow: allows the defined traffic.
  • Reject: rejects the defined traffic; useful in conjunction with an allow all policy.
  • Continue: neither allows or rejects the traffic; useful for applying another property to the traffic.
Default value:
"Allow"
Type: string
Defines for how long the policy will be active according to the activeSchedule.
Type: string
Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
Stores additional information about an entity.
Sets three different types of policies. IncomingTraffic: applies the policy to all processing units that match the object and allows them to accept connections from processing units or external networks that match the subject. OutgoingTraffic: applies the policy to all processing units that match the subject and allows them to initiate connections with processing units or external networks that match the object. Bidirectional (default): applies the policy to all processing units that match the object and allows them to accept connections from processing units that match the subject. Also applies the policy to all processing units that match the subject and allows them to initiate connections with processing units that match the object.
Default value:
"Bidirectional"
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: boolean
Defines if the flow has to be encrypted. This property is deprecated and have no incidence.
Type: time
If set the policy will be automatically deleted after the given time.
Type: boolean
Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
Type: boolean
If true, the relevant flows are logged and available from Microsegmentation Console. Under some advanced scenarios you may wish to set this to false, such as to save space or improve performance.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: boolean
Setting this to true will invert the object to find what is not matching.
Type: boolean
Setting this to true will invert the subject to find what is not matching.
Type: []string
Contains the list of normalized tags of the entities.
A tag or tag expression identifying the object of the policy.
Type: boolean
If set to true, the flow will be in observation mode.
If observationEnabled is set to true, this defines the final action taken on the packets: Apply or Continue (default).
Default value:
"Continue"
Type: []string
Represents the ports and protocols this policy applies to.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
A tag or tag expression identifying the subject of the policy.
Type: time
Last update date of the object.

NetworkRuleSetPolicy

Allows you to define network rule sets to allow or prevent processing units identified by their tags to talk to other processing units or external networks (also identified by their tags).

Example

{ "disabled": false, "fallback": false, "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of network rule set policies.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new network rule set policy policy.
Deletes the policy with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the policy with the given ID.
Parameters:
Updates the policy with the given ID.
Returns the list of external networks affected by a network rule set policy.
Parameters:
Returns the list of processing units affected by a network rule set policy.
Parameters:
Returns the list of services affected by a network rule set policy.
Parameters:

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: boolean
Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
The set of rules to apply to incoming traffic (traffic coming to the Processing Unit matching the subject).
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
The set of rules to apply to outgoing traffic (traffic coming from the Processing Unit matching the subject).
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
A tag expression identifying used to match processing units to which this policy applies to.
Type: time
Last update date of the object.

policy/processingunits

IsolationProfile

Defines system call rules, system call actions, and other capabilities on a processing unit.

Example

{ "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of isolation profiles.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new isolation profile.
Deletes the profile with the given ID.
Retrieves the profile with the given ID.
Parameters:
Updates the profile with the given ID.
Returns the list of isolation profiles associated with the mapping.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: _cap_map
The capabilities that should be added to or removed from the processing unit.
Type: time
Creation date of the object.
The default action applied to all system calls of this profile. Default is Allow.
Type: string
Description of the object.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
A list of system call rules that identify actions for particular system calls.
The processor architectures that the profile supports. Default all.
Type: time
Last update date of the object.

ProcessingUnitPolicy

Processing unit policies allow you to define special behavior for processing units. For example you can associate an isolation profile with a set of processing units or select a specific datapath.

Example

{ "action": "Default", "datapathType": "Default", "disabled": false, "fallback": false, "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of processing unit policies.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new processing unit policy.
Deletes the object with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the object with the given ID.
Updates the object with the given ID.
Returns the list of isolation profiles associated with the mapping.
Returns the list of processing units referenced by the mapping.

Attributes

Type: string
Identifier of the object.
Action determines the action to take while enforcing the isolation profile. NOTE: Choose Default if your processing unit is not supposed to make a decision on isolation profiles at all.
Default value:
"Default"
Type: string
Defines for how long the policy will be active according to the activeSchedule.
Type: string
Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
The datapath type that processing units selected by subject should implement:
  • Default: This policy is not making a decision for the datapath.
  • Aporeto: The enforcer is managing and handling the datapath.
  • EnvoyAuthorizer: The enforcer is serving Envoy-compatible gRPC APIs for every processing unit that for example can be used by an Envoy proxy to use the Microsegmentation PKI and implement Microsegmentation network policies. NOTE: The enforcer is not going to own the datapath in this example. It is merely providing an authorizer API.
Default value:
"Default"
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: boolean
Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
The isolation profiles to be mapped. Only applies to Enforce and LogCompliance actions.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
Contains the tag expression the tags need to match for the policy to apply.
Type: time
Last update date of the object.

ProcessingUnitService

Represents a service attached to a processing unit.

Attributes

Type: string
Contains the list of allowed ports and ranges.
Type: integer
Protocol used by the service.
Type: []string
List of single ports or range (xx:yy).

policy/quota

QuotaCheck

Allows you to verify the quota for a given identity in a given namespace with the given tags.

Example

{ "targetIdentity": "processingunit", "targetNamespace": "/my/namespace" }

Relations

Verifies if the quota is exceeded for a particular object.
Parameters:
  • remaining (boolean): Makes the system count how many object are left available in the quota.

Attributes

Type: integer
Contains the maximum number of matching entities that can be created.
Type: integer
If the parameter remaining=true is passed, this value will be populated with the number of remaining objects in the quota.
Default value:
-1
Type: string
The identity name of the object you want to check the quota on.
Type: string
The namespace from which you want to check the quota on.

QuotaPolicy

Allows you to set quotas on the number of objects that can be created in a namespace.

Example

{ "disabled": false, "fallback": false, "identities": [ "processingunit", "enforcer" ], "name": "the name", "propagate": false, "propagationHidden": false, "protected": false, "targetNamespace": "/my/namespace" }

Relations

Retrieves the list of quotas.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new quota.
Deletes the quota with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the quota with the given ID.
Updates the quota with the given ID.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
Type: boolean
Defines if the property is disabled.
Type: time
If set the quota will be automatically deleted after the given time.
Type: boolean
Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
Type: []string
Contains the list of identity names where the quota will be applied.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.
Type: boolean
Defines if the object is protected.
Type: integer
Specifies the maximum number of objects matching the policy subject that can be created.
Type: string
Contains the base namespace from where the count will be done.
Type: time
Last update date of the object.

policy/services

ClaimMapping

Allows you to map a claim in a token to an HTTP header. This can be useful when offloading authentication and authorization to Microsegmentation. Some applications may expect to receive information in the HTTP header.

Example

{ "claimName": "email", "targetHTTPHeader": "X-Username" }

Attributes

Type: string
The name of the claim to map to the HTTP header. header.
Type: string
The HTTP header that will be the destination of the mapped claim.

Endpoint

Represents an HTTP endpoint.

Example

{ "public": false }

Attributes

Type: string
URI of the exposed API.
The scopes authorized to access the API.
Type: []string
Methods exposed to access the API.
Type: boolean
If true, the API is public.

HTTPResourceSpec

Describes an HTTP resource exposed by one or more services.

Example

{ "name": "the name", "propagate": false, "protected": false }

Relations

Retrieves the list of HTTP resource specifications.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
  • archived (boolean): Also retrieve the objects that have been archived.
Creates a new HTTP resource specification.
Deletes the HTTP resource with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the HTTP resource with the given ID.
Parameters:
Updates the HTTP resource with the given ID.
Retrieves the HTTP Resource exposed by this service.

Attributes

Type: string
Identifier of the object.
Stores additional information about an entity.
Type: []string
List of tags attached to an entity.
Type: time
Creation date of the object.
Type: string
Description of the object.
A list of API endpoints that are exposed for the service.
Type: []string
Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
Type: string
Name of the entity.
Type: string
Namespace tag attached to an entity.
Type: []string
Contains the list of normalized tags of the entities.
Type: boolean
Propagates the policy to all of its children.
Type: boolean
Defines if the object is protected.
Type: time
Last update date of the object.

Service

Defines a generic service object at layer 4 or layer 7 that encapsulates the description of a microservice. A service exposes APIs and can be implemented through third-party entities (such as a cloud provider) or through processing units.

Example

{ "OIDCProviderURL": "https://accounts.google.com", "OIDCScopes": [ "email", "profile" ], "TLSType": "Aporeto", "authorizationType": "None", "disabled": false, "exposedAPIs": [ [ "package=p1" ] ], "exposedPort": 443, "exposedServiceIsTLS": false, "external": false, "name": "the name", "port": 443, "propagate": false, "protected": false, "publicApplicationPort": 443, "selectors": [ [ "$identity=processingunit" ] ], "type": "HTTP" }

Relations

Retrieves the list of services.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
Creates a new service.
Deletes the service with the given ID.
Parameters:
  • q (string): Filtering query. Consequent q parameters will form an or.
Retrieves the service with the given ID.
Parameters:
Updates the service with the given ID.
Returns the list of services affected by an infrastructure policy.
Parameters:
Returns the list of services affected by a network policy.
Parameters:
Returns the list of services affected by a network rule set policy.
Parameters:
Retrieves the services used by a processing unit.
Returns the list of external services that are targets of service dependency.
Retrieves the HTTP Resource exposed by this service.
Retrieves the processing units that implement this service.

Attributes

Type: string
Identifier of the object.
Type: []string
The list of IP addresses where the service can be accessed. This is an optional attribute and is only required if no host names are provided. The system will automatically resolve IP addresses from host names otherwise.
Type: string
PEM-encoded certificate that will be used to validate the user’s JSON web token (JWT) in HTTP requests. This is an optional field, needed only if the authorizationType is set to JWT.
Type: string
PEM-encoded certificate authority to use to verify client certificates. This only applies if authorizationType is set to MTLS. If it is not set, Microsegmentation Console’s public signing certificate authority will be used.
Type: string
This is an advanced setting. Optional OIDC callback URL. If you don’t set it, the enforcer will autodiscover it. It will be https://<hosts[0]|IPs[0]>/aporeto/oidc/callback.
Type: string
OIDC Client ID. Only has effect if the authorizationType is set to OIDC.
Type: string
OIDC Client Secret. Only has effect if the authorizationType is set to OIDC.
Type: string
OIDC discovery endpoint. Only has effect if the authorizationType is set to OIDC.
Type: []string
Configures the scopes you want to request from the OIDC provider. Only has effect if authorizationType is set to OIDC.