Core resources
core
DiscoveryMode
(Deprecated) When discovery mode is enabled, all flows are accepted. Flows which
do not match an existing network policy will be represented by a dotted line in
your Platform view.
Example
{ "propagate": false }
Relations
(Deprecated) Returns the list of discovery modes.
(Deprecated) Deploy the discovery mode assets onto the specified namespace.
(Deprecated) Remove the discovery mode assets with the given import reference ID.
(Deprecated) Retrieve the discovery mode with the given import reference ID.
Attributes
Export
Allows you to obtain a JSON object containing policies and other objects
from a given namespace. You can then import this JSON object into a
different namespace.
Example
{ "identities": [ "externalnetworks", "networkaccesspolicies" ], "label": "my-import-name" }
Relations
Exports all policies and related objects of a namespace.
Parameters:
Hit
This API allows to retrieve a generic hit counter for a given object.
Example
{ "name": "counter", "targetIdentity": "networkaccesspolicy" }
Relations
Retrieve a matching hit.
Parameters:
Mandatory Parameters
Import
Imports an export of policies and related objects into the namespace.
Example
{ "data": { "externalnetworks": [ { "associatedTags": [ "ext:net=tcp" ], "description": "Represents all TCP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-tcp", "servicePorts": [ "tcp/1:65535" ] }, { "associatedTags": [ "ext:net=udp" ], "description": "Represents all UDP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-udp", "servicePorts": [ "udp/1:65535" ] } ], "networkaccesspolicies": [ { "action": "Allow", "description": "Allows all communication from pu to pu, tcp and udp", "logsEnabled": true, "name": "allow-all-communication", "object": [ [ "$identity=processingunit" ], [ "ext:net=tcp" ], [ "ext:net=udp" ] ], "subject": [ [ "$identity=processingunit" ] ] } ] }, "mode": "Import" }
Relations
Imports data from a previous export.
Attributes
How to import the data: ReplacePartial, Import (default), or Remove.
ReplacePartial
is deprecated. Use Import instead. While you can use ReplacePartial it will
be interpreted
as Import.
Default value:
"Import"
ImportReference
Allows you to import and keep a reference.
Example
{ "constraint": "Unrestricted", "data": { "externalnetworks": [ { "associatedTags": [ "ext:net=tcp" ], "description": "Represents all TCP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-tcp", "servicePorts": [ "tcp/1:65535" ] }, { "associatedTags": [ "ext:net=udp" ], "description": "Represents all UDP traffic on any port", "entries": [ "0.0.0.0/0" ], "name": "all-udp", "servicePorts": [ "udp/1:65535" ] } ], "networkaccesspolicies": [ { "action": "Allow", "description": "Allows all communication from pu to pu, tcp and udp", "logsEnabled": true, "name": "allow-all-communication", "object": [ [ "$identity=processingunit" ], [ "ext:net=tcp" ], [ "ext:net=udp" ] ], "subject": [ [ "$identity=processingunit" ] ] } ] }, "name": "the name", "protected": false }
Relations
Retrieves the list of import references.
Parameters:
Imports data from a previous export and keep a reference.
Deletes the object with the given ID.
Parameters:
Retrieves the object with the given ID.
Returns the list of import references that depend on a recipe.
Create an import request for the given recipe.
Attributes
Define the import constraint. If Unrestricted, import
can be deployed multiple times. If Unique, only one import is allowed
in the current namespace and its child namespaces. If NamespaceUnique, only
one import is allowed in the current namespace.
Default value:
"Unrestricted"
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
ImportRequest
Allows you to send an import request to create objects to a namespace where
the requester doesn’t normally have the permission to do so (other than creating
import requests).
The requester must have the permission to create the request in their namespace
and the target namespace.
When the request is created, the status is set to Draft. The requester can
edit the content as much as desired.
When ready to send the request, update the status to Submitted.
The request will then be moved to the target namespace.
At that point nobody can edit the content of the requests other than adding
comments.
The requestee will now see the request, and will either
Example
{ "data": { "networkaccesspolicies": [ { "action": "Allow", "description": "Allows Acme to access service A", "logsEnabled": true, "name": "allow-acme", "object": [ [ "$identity=processingunit", "$namespace=/acme/prod", "app=query" ] ], "subject": [ [ "$identity=processingunit", "app=partner-data" ] ] } ] }, "protected": false, "requesterClaims": [ "@auth:realm=vince", "@auth:account=acme" ], "status": "Draft", "targetNamespace": "/acme/prod" }
Relations
Retrieves the list of import requests.
Parameters:
Creates a new import request.
Delete an existing import request.
Retrieve a single existing import request.
Update an existing import request.
Attributes
Type: string
The namespace from which the request originated; populated by the
Microsegmentation Console.
Default value:
"Draft"
Type: string
The namespace where the request will be sent. The requester can set any
namespace but
needs to have an authorization to post the request in that namespace.
Poke
When available, poke can be used to update various information about the parent.
For instance, for enforcers, poke will be used as the heartbeat.
Relations
Sends a poke empty object. This is used to ensure a enforcer is up and running.
Parameters:
- enforcementStatus (enum(Failed | Inactive | Active)): If set, changes the enforcement status of the enforcer along with the poke.
- forceFullPoke (boolean): If set, it will trigger a full poke (slower).
- sessionClose (boolean): If set, terminates a session for a enforcer.
- status (enum(Registered | Connected | Disconnected)): If set, changes the status of the enforcer along with the poke.
Sends a poke empty object. This will send a snapshot of the processing unit to
the time series database.
Parameters:
- enforcementStatus (enum(Failed | Inactive | Active)): If set, changes the enforcement status of the processing unit alongside with the poke.
- forceFullPoke (boolean): If set, it will trigger a full poke (slower).
- notify (boolean): Can be sent to trigger a ProcessingUnitRefresh event that will be handled by the enforcer. If this is set, all other additional parameters will be ignored.
- status (enum(Initialized | Paused | Running | Stopped)): If set, changes the status of the processing unit alongside with the poke.
PolicyRenderer
Allows you to render policies of a given type for a given set of tags.
Example
{ "processMode": "Subject", "tags": [ "a=a", "b=b" ], "type": "APIAuthorization" }
Relations
Render a policy of a given type for a given set of tags.
Attributes
Type: enum(Subject | Object)
Subject (default): Set if the processMode should use the subject. Object:
Set if
the processMode should use the object. This only has effect when rendering an
SSH
authorization for now.
Default value:
"Subject"
Search
Perform a full text search on the database.
Relations
Perform a full text search on the database.
Parameters:
Mandatory Parameters
Attributes
core/accessiblenamespace
AccessibleNamespace
An Accessible Namespace represents a namespace that can be accessed by a given
user.
Relations
Retrieves the list of accessible namespaces.
Parameters:
core/account
Account
Allows you to view and manage basic information about your account like
your name, password, and whether or not two-factor authentication is enabled.
Example
{ "OTPEnabled": false, "SSHCARenew": false, "accessEnabled": false, "company": "Acme", "email": "user@acme.com", "firstName": "John", "lastName": "Doe", "localCARenew": false, "name": "acme" }
Relations
Creates a new account.
Deletes the object with the given ID.
Parameters:
Retrieves the object with the given ID.
Updates the object with the given ID.
Attributes
Type: string
Contains the completely automated public Turing test (CAPTCHA)
validation if reCAPTCHA is enabled.
Status of the account.
Default value:
"Pending"
Activate
Used to activate a pending account.
Example
{ "token": "2BB3D52C-DE26-406A-8821-613F102282B0" }
Relations
Activates a pending account.
Parameters:
- noRedirect (boolean): If set, do not redirect the request to the web interface.
Mandatory Parameters
Attributes
PasswordReset
Used to reset a Microsegmentation account password.
Example
{ "password": "NewPassword123@", "token": "436676D4-7ECA-4853-A572-0644EE9D89EF" }
Relations
Sends a link to the account email to reset the password.
Parameters:
Mandatory Parameters
Resets the password for an account using the provided link.
core/authentication
Authn
Verifies if the given token is valid or not. If it is valid it will
return the claims of the token.
Relations
Verify the validity of a token. This is deprecated. You should use Create.
Parameters:
Verify the validity of a token.
Issue
Issues a new Microsegmentation token according to given data.
Example
{ "audience": "aud:*:*:/namespace", "metadata": { "vinceAccount": "acme", "vinceOTP": 665435, "vincePassword": "s3cr3t" }, "realm": "Vince", "restrictedNamespace": "/namespace", "restrictedNetworks": [ "10.0.0.0/8", "127.0.0.1/32" ], "restrictedPermissions": [ "@auth:role=enforcer", "namespace,post" ], "validity": "24h" }
Relations
Issues a new token.
Parameters:
Attributes
Type: string
If given, the issued token will only be valid for the specified namespace.
Refer to JSON Web Token (JWT)RFC
7519.
for further information.
The authentication realm. This will define how to verify
credentials from internal or external source of authentication.
Type: string
Restricts the namespace where the token can be used.
For instance, if you have have access to /namespace and below, you can
tell the policy engine that it should restrict further more to
/namespace/child.
Restricting to a namespace you don’t have initially access according to the
policy engine has no effect and may end up making the token unusable.
Type: []string
Restricts the networks from where the token can be used. This will reduce the
existing set of authorized networks that normally apply to the token according
to the policy engine.
For instance, If you have authorized access from 0.0.0.0/0 (by default) or
from
10.0.0.0/8, you can ask for a token that will only be valid if used from
10.1.0.0/16.
Restricting to a network that is not initially authorized by the policy
engine has no effect and may end up making the token unusable.
Type: []string
Restricts the permissions of token. This will reduce the existing permissions
that normally apply to the token according to the policy engine.
For instance, if you have administrative role, you can ask for a token that will
tell the policy engine to reduce the permission it would have granted to what is
given defined in the token.
Restricting to some permissions you don’t initially have according to the policy
engine has no effect and may end up making the token unusable.
Type: string
Configures the maximum length of validity for a token, using
Golang duration syntax. If it
is
bigger than the configured max validity, it will be capped. Default: 24h.
Default value:
"24h"
LDAPProvider
Allows you to declare a generic LDAP provider that can be used in exchange
for a Midgard token.
Example
{ "address": "ldap.company.com", "baseDN": "dc=universe,dc=io", "bindDN": "cn=readonly,dc=universe,dc=io", "bindPassword": "s3cr3t", "bindSearchFilter": "uid={USERNAME}", "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBPzCB5qADAgECAhEAwbx3c+QW24ePXyD94geytzAKBggqhkjOPQQDAjAPMQ0w CwYDVQQDEwR0b3RvMB4XDTE5MDIyMjIzNDA1MFoXDTI4MTIzMTIzNDA1MFowDzEN MAsGA1UEAxMEdG90bzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJi6CwRDeKks Xb3pDEslmFGR7k9Aeh5RK+XmdqKKPGb3NQWEFPGolnqOR34iVuf7KSxTuzaaVWfu XEa94faUQEqjIzAhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MAoG CCqGSM49BAMCA0gAMEUCIQD+nL9RF9EvQXHyYuJ31Lz9yWd9hsK91stnpAs890gS /AIgQIKjBBpiyQNZZWso5H04qke9QYMVPegiQQufFFBj32c= -----END CERTIFICATE-----", "connSecurityProtocol": "InbandTLS", "default": false, "name": "the name", "protected": false, "subjectKey": "uid" }
Relations
Retrieves the list of the namespace LDAP providers.
Parameters:
Creates a new LDAP provider.
Deletes the provider with the given ID.
Parameters:
Retrieves the provider with the given ID.
Updates the provider with the given ID.
Attributes
Type: string
Contains the base distinguished name (DN) to use for LDAP queries. Example:
dc=example,dc=com.
Type: string
The filter to use to locate the relevant user accounts. For Windows-based
systems, the value may
be sAMAccountName={USERNAME}. For Linux and other systems, the value may be
uid={USERNAME}.
Default value:
"uid={USERNAME}"
Type: string
Can be left empty if the LDAP server’s certificate is signed by a public,
trusted certificate
authority. Otherwise, include the public key of the certificate authority that
signed the
LDAP server’s certificate.
Type: []string
A list of keys that must not be imported into a Microsegmentation authorization. If
includedKeys is also set, and a key is in both lists, the key will be ignored.
Type: []string
A list of keys that must be imported into a Microsegmentation authorization. If
ignoredKeys is also set, and a key is in both lists, the key will be ignored.
Type: string
The key to be used to populate the subject of the Midgard token. If you want to
use the user as a subject, for Windows-based systems you may use
sAMAccountName.
For Linux and other systems, you may wish to use uid (default). You can also
use
any alternate key.
Default value:
"uid"
Logout
Perform logout operations. This is only used to unset the secure cookie token
for now.
Relations
Performs a logout operation.
OIDCProvider
Allows you to declare a generic OpenID Connect (OIDC) provider that can be used
in exchange for a Midgard token.
Example
{ "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2 NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6 peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8 -----END CERTIFICATE-----", "clientID": "6195189841830-0644ee9d89ef0644ee9d89examle.apps.googleusercontent.com", "clientSecret": "Ytgbfjtj4652jHDFGls99jF", "default": false, "endpoint": "https://accounts.google.com", "name": "the name", "protected": false, "scopes": [ "email", "profile" ], "subjects": [ "email", "profile" ] }
Relations
Retrieves the list of OIDC providers.
Parameters:
Creates a new OIDC provider.
Deletes the provider with the given ID.
Parameters:
Retrieves the provider with the given ID.
Updates the provider with the given ID.
Attributes
Type: string
Set the CA to use to contact the OIDC server. This is useful when you are using
a custom OIDC provider that doesn’t use a trusted CA. Most of the
time, you can leave this property empty.
PCCProvider
Allows you to declare a trusted Prisma Cloud Compute (PCC) authentication provider. Microsegmentation will accept JSON web tokens (JWT) from the specified PCC provider.
Example
{ "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2 NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6 peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8 -----END CERTIFICATE-----", "default": false, "endpoint": "https://my.pcc.acme.com", "name": "the name", "protected": false }
Relations
Retrieves the list of the PCC providers.
Parameters:
Creates a new PCC provider.
Deletes the provider with the given ID.
Parameters:
Retrieves the provider with the given ID.
Updates the provider with the given ID.
SAMLProvider
Allows you to declare a generic SAML provider that can be used in
exchange for a Midgard token.
Example
{ "IDPCertificate": "-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----", "IDPIssuer": "https://accounts.google.com/o/saml2/idp?idpid=AbDcef123", "IDPURL": "https://accounts.google.com/o/saml2/idp?idpid=AbDcef123", "default": false, "name": "the name", "protected": false, "subjects": [ "email", "profile" ] }
Relations
Retrieves the list of the namespace SAML providers.
Parameters:
Creates a new LDAP provider.
Deletes the provider with the given ID.
Parameters:
Retrieves the provider with the given ID.
Updates the provider with the given ID.
core/billing
Plan
Contains the various billing plans available.
Relations
Retrieves the list of plans.
Retrieves the plan with the given ID.
Attributes
core/enforcer
CounterReport
Post a new counter tracing report.
Example
{ "enforcerID": "xxxx-xxx-xxxx", "enforcerNamespace": "/my/namespace", "namespace": "/my/namespace", "processingUnitID": "xxx-xxx-xxx", "processingUnitNamespace": "/my/namespace", "timestamp": "2018-06-14T23:10:46.420397985Z" }
Relations
Create a counter report.
Attributes
Type: integer
Non-zero counter indicates analyzed connections for unencrypted, encrypted, and
packets from endpoint applications with the TCP Fast Open option set. These are
not dropped counter.
Type: integer
Non-zero counter indicates dropped connections because of invalid state,
non-processing unit traffic, or out of order packets.
Type: integer
Non-zero counter indicates expired connections because of response not being
received within a certain amount of time after the request is made.
Type: integer
Non-zero counter indicates dropped packets that did not hit any of our iptables
rules and queue drops.
Type: string
Namespace of the enforcer sending the report. This field is deprecated. Use the
'namespace' field instead.
field instead.
Type: integer
Non-zero counter indicates connections going to and from external networks.
These may be drops or allowed counters.
Type: integer
Non-zero counter indicates packets rejected due to anything related to token
creation/parsing failures.
Enforcer
Contains all parameters associated with a registered enforcer. The
object is mainly maintained by the enforcers themselves. Users can read the
object in order to understand the current status of the enforcers.
Example
{ "FQDN": "server1.domain.com", "certificateRequest": "-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----", "collectInfo": false, "detectedHostModeContainers": false, "enforcementStatus": "Inactive", "lastCollectionID": "xxx-xxx-xxx-xxx -", "logLevel": "Info", "logLevelDuration": "10s", "machineID": "3F23E8DF-C56D-45CF-89B8-A867F3956409", "migrationStatus": "None", "name": "the name", "operationalStatus": "Registered", "protected": false }
Relations
Retrieves the list of enforcers.
Parameters:
Creates a new enforcer.
Deletes the enforcer with the given ID.
Parameters:
Retrieves the enforcer with the given ID.
Updates the enforcer with the given ID.
Returns the list of enforcers that are affected by this mapping.
Returns the list of enforcers affected by an enforcer profile mapping.
Returns the list of enforcers that are affected by this mapping.
Returns a list of the audit profiles that must be applied to this enforcer.
Retrieves the list of debug bundles.
Uploads a debug bundle.
Returns the enforcer profile that must be used by a enforcer.
Sends a enforcer refresh command.
Returns a list of the host services policies that apply to this enforcer.
Parameters:
- appliedServices (boolean): Valid when retrieved for a given enforcer and returns the applied services.
- setServices (boolean): Instructs Microsegmentation Console to cache the services that were resolved.
Sends a poke empty object. This is used to ensure a enforcer is up and running.
Parameters:
- enforcementStatus (enum(Failed | Inactive | Active)): If set, changes the enforcement status of the enforcer along with the poke.
- forceFullPoke (boolean): If set, it will trigger a full poke (slower).
- sessionClose (boolean): If set, terminates a session for a enforcer.
- status (enum(Registered | Connected | Disconnected)): If set, changes the status of the enforcer along with the poke.
Returns the list of certificate authorities that should be trusted by this
enforcer.
Parameters:
- type (enum(Any | X509 | SSH)): Type of certificate to get.
Attributes
Type: string
Contains the fully qualified domain name (FQDN) of the server where the
enforcer is running.
Type: string
If not empty during a create or update operation, the provided certificate
signing request (CSR) will be validated and signed by the Microsegmentation
Console, providing a renewed certificate.
Type: string
The Microsegmentation Console identifier managing this object. This property is mostly
useful when federating multiple Microsegmentation Consoles.
Status of the enforcement for host services.
Default value:
"Inactive"
Type: string
Contains the initial chain of trust for the enforcer. This value is only
given when you retrieve a single enforcer.
Log level of the enforcer.
Default value:
"Info"
Type: string
Determines the duration of which the log level will be active, using Golang
duration syntax.
Default value:
"10s"
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Defines the migration status.
Default value:
"None"
The status of the enforcer.
Default value:
"Registered"
Type: string
The public token of the server that will be included in the datapath and
is signed by the private certificate authority.
EnforcerLog
An enforcer log represents the log collected by an enforcer. Each enforcer log
can have partial or complete data. The collectionID is used to aggregate the
multipart data into one.
Example
{ "collectionID": "xxx-xxx-xxx-xxx", "enforcerID": "xxx-xxx-xxx-xxx", "protected": false }
Relations
Retrieves the list of enforcerlogs.
Parameters:
Creates a new enforcerlog.
Retrieves the enforcerlog with the given ID.
Attributes
Type: string
Contains the ID of the enforcer log. CollectionID is used to
aggregate the multipart data.
EnforcerReport
Post a new enforcer statistics report.
Example
{ "CPULoad": 10, "enforcerID": "xxx-xxx-xxx-xxx", "licenseType": "Host", "memory": 10000, "name": "aporeto-enforcerd-xxx", "namespace": "/my/ns", "processes": 10, "timestamp": "2018-06-14T23:10:46.420397985Z" }
Relations
Create an enforcer statistics report.
EnforcerTraceReport
Post a new enforcer trace that determines how packets are.
Example
{ "enforcerID": "5c6cce207ddf1fc159a104bf", "enforcerNamespace": "/acme/prod", "namespace": "/acme/prod/database", "puID": "5c6ccd947ddf1fc159a104b7" }
Relations
Create an enforcer trace report.
Attributes
PacketReport
Post a new packet tracing report.
Example
{ "destinationPort": 11000, "encrypt": false, "enforcerID": "xxxx-xxx-xxxx", "enforcerNamespace": "/my/namespace", "event": "Rcv", "mark": 123123, "namespace": "/my/namespace", "packetID": 12333, "protocol": 6, "puID": "xxx-xxx-xxx", "rawPacket": "abcd", "sourcePort": 80, "timestamp": "2018-06-14T23:10:46.420397985Z", "triremePacket": true }
Relations
Create a packet trace report.
PingProbe
Represents the result of a unique ping probe. They are aggregated into a
PingResult.
Example
{ "applicationListening": false, "claimsType": [ "Transmitted" ], "enforcerID": "xxx-xxx-xxx-xxx", "enforcerNamespace": "/my/ns", "excludedNetworks": false, "isServer": false, "payloadSizeType": [ "Transmitted" ], "pingID": "xxx-xxx-xxx-xxx", "remoteEndpointType": [ "External" ], "remoteNamespaceType": [ "Plain" ], "targetTCPNetworks": false, "type": [ "Request" ] }
Relations
Retrieves a ping result.
Create a ping probe.
Attributes
Represents the remote endpoint type.
PingRequest
Initiates a ping request for enforcer debugging.
Example
{ "iterations": 1, "refreshID": "xxxx-xxxx-xxxx" }
Relations
Initiate a new the ping request.
Attributes
PingResult
Represents the results of a ping request.
Relations
Retrieves a ping result.
Parameters:
Attributes
Type: []remotepingprobe
Contains information about missing probes in the result. This field will be
populated in the ping probe is managed by a remote controller (federation) or is
stored in a namespace you don’t have any permissions on.
RemotePingProbe
Represents information about a remote ping probe that is governed by a different
set of permissions.
Attributes
Type: string
The namespace where the ping report is stored. Only applicable when the remote
controller is empty.
Type: enum(Plain | Hash)
Type of the namespace reported. It can be hash or plain, depending on various
factors.
TraceMode
Represents the tracing mode to apply to a processing unit.
Example
{ "IPTables": false, "applicationConnections": false, "interval": "10s", "networkConnections": false }
Attributes
Type: string
Determines the length of the time interval that the trace must be
enabled, using Golang duration syntax.
Default value:
"10s"
TraceRecord
Represents a single trace record from the enforcer.
Example
{ "TTL": 64, "chain": "PREROUTING", "destinationIP": "10.1.1.30", "destinationInterface": "en0", "destinationPort": 80, "length": 98, "packetID": 10, "protocol": 80, "ruleID": 10, "sourceIP": "10.1.1.30", "sourceInterface": "en0", "sourcePort": 80, "tableName": "raw", "timestamp": "2018-06-14T23:10:46.420397985Z" }
core/monitoring
Activity
Contains logs of all the activity that happened in a namespace. All successful
or
failed actions will be available, errors, as well as the claims of
the user who triggered the actions. This log is capped and only keeps the last
50,000 entries by default.
Relations
Retrieves the list of activity logs.
Parameters:
Retrieves the object with the given ID.
Alarm
Represents an event requiring attention.
Example
{ "content": "This is an alarm", "emails": [ "amir@aporeto.com", "john@aporeto.com" ], "kind": "aporeto.alarm.kind", "name": "the name", "protected": false, "status": "Open" }
Relations
Retrieves all the alarms.
Parameters:
Creates a new alarm.
Deletes the object with the given ID.
Parameters:
Retrieves the object with the given ID.
Updates the object with the given ID.
Attributes
Type: string
Identifies the kind of alarm. If two alarms are created with the same
identifier, then only the occurrence will be incremented.
EventLog
Allows you to report various events on any object.
Example
{ "category": "enforcerd:policy", "content": "Unable to activate docker container xyz because abc.", "level": "Info", "targetID": "xxx-xxx-xxx-xxx", "targetIdentity": "processingunit", "title": "Error while activating processing unit." }
Relations
Creates a new event log for a particular entity.
Attributes
Sets the log level.
Default value:
"Info"
Type: string
ID of the object this event log is attached to. The object must be in the same
namespace than the event log.
HealthCheck
This API allows to retrieve a generic health state of the platform.
A return code different from 200 OK means the platform is not operational.
The health check contains the list of observed sub system.
Relations
Retrieve the health of the platform.
Parameters:
Message
Allows you to post public messages that will be visible through all
children namespaces.
Example
{ "level": "Info", "name": "the name", "propagate": false, "protected": false, "validity": "12h" }
Relations
Retrieves the list of messages.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new message.
Deletes the message with the given ID.
Parameters:
Retrieves the message with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the message with the given ID.
Attributes
core/namespace
DefaultEnforcerVersion
Returns the default enforcer version of the specified namespace.
Relations
Returns the default enforcer version of the specified namespace.
Modify the default enforcer version of the specified namespace.
Attributes
LocalCA
Can be used to retrieve or renew the local and SSH certificate authorities of
the namespace.
Example
{ "SSHCertificateRenew": false, "certificateRenew": false }
Relations
Returns the local and SSH certificate authorities of the namespace.
Renews the local and/or SSH certificate authorities of the namespace.
Namespace
A namespace represents the core organizational unit of the system. All objects
always exist in a single namespace. A namespace can also have child namespaces.
They can be used to split the system into organizations, business units,
applications, services or any combination you like.
Example
{ "JWTCertificateType": "None", "SSHCAEnabled": false, "customZoning": false, "defaultPUIncomingTrafficAction": "Inherit", "defaultPUOutgoingTrafficAction": "Inherit", "localCAEnabled": false, "name": "mynamespace", "protected": false, "serviceCertificateValidity": "168h", "type": "Default" }
Relations
Retrieves the list of namespaces.
Parameters:
Creates a new namespace.
Deletes the namespace with the given ID.
Parameters:
Retrieves the namespace with the given ID.
Updates the namespace with the given ID.
Retrieves the OAUTH info for this namespace.
Parameters:
- mode (enum(oidc)): When set to type OIDC it will return the data as a raw JSON object and not a Microsegmentation Console-compatible API.
Retrieves the OAUTH info for this namespace.
Parameters:
- mode (enum(oidc)): When set to OIDC it will return the data as a raw JSON object and not a Microsegmentation Console-compatible API.
Returns the list of trusted CAs for this namespace.
Parameters:
- type (enum(Any | X509 | SSH | JWT)): Type of certificate to get.
Attributes
Type: enum(RSA | EC | None)
JWTCertificateType defines the JWT signing certificate that must be created
for this namespace. If the type is none no certificate will be created.
Default value:
"None"
Type: map[string]string
JWTCertificates hold the certificates used to sign tokens for this namespace.
This is map indexed by the ID of the certificate.
Type: boolean
Describes the default action a processing unit will take for incoming traffic
for this namespace.
Default value:
"Inherit"
Describes the default action a processing unit will take for outgoing traffic
for this namespace.
Default value:
"Inherit"
Type: boolean
Defines if the namespace should use a local certificate
authority (CA). Switching it off and on again will regenerate a new CA.
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Type: []string
List of tags that describe this namespace. All organizational tags are
automatically passed to policeable objects (e.g., processing units, external
networks, enforcers) during their creation.
Type: []string
List of tag prefixes that will be used to suggest policies. Only these tags will
be transmitted on the wire.
The type defines the purpose of the namespace:
- Default: A universal namespace that is capable of all actions and views.
- Tenant: A namespace that houses a tenant (e.g. ACME).
- CloudAccount: A child namespace of a tenant that houses a cloud provider account.
- Group: A child namespace of a cloud account that houses a managed group.
- Kubernetes: A child namespace of a group that houses a Kubernetes cluster (automatically created by the enforcer).
Default value:
"Default"
NamespaceMappingPolicy
A namespace mapping defines the namespace a processing unit should
be placed when it is created, based on its tags. When an enforcer creates
a new processing unit, the system will place it in its own namespace if no
matching namespace mapping can be found. If one match is found, then the
processing unit will be bumped down to the namespace declared in the namespace mapping. If it
finds in that child namespace another matching namespace mapping, then
the processing unit will be bumped down again, until it reaches a namespace with
no matching namespace mappings. This is very useful to dispatch processes and containers
into a particular namespace, based on a lot of factors. For example, you can put in place a
quarantine namespace mapping that will grab all processing units with excessive
vulnerabilities.
Example
{ "disabled": false, "mappedNamespace": "/blue/namespace", "name": "the name", "protected": false, "subject": [ [ "color=blue" ] ] }
Relations
Retrieves the list namespace mappings.
Parameters:
Creates a new namespace mapping.
Deletes the mapping with the given ID.
Parameters:
Retrieves the mapping with the given ID.
Updates the mapping with the given ID.
NamespacePolicyInfo
Returns the policy info of the specified namespace.
Example
{ "PUIncomingTrafficAction": "Allow", "PUOutgoingTrafficAction": "Allow" }
Relations
Returns the policy info of the specified namespace.
Attributes
The processing unit action for incoming traffic for the namespace.
The processing unit action for outgoing traffic for the namespace.
NamespaceRenderer
This object allows you to determine which namespace an object should reside in
based on the tags provided.
Example
{ "tags": [ "a=a", "b=b" ] }
Relations
Renders the namespace where an object should reside.
NamespaceType
Returns the type of the specified namespace.
Relations
Returns the type of the specified namespace.
Attributes
OrganizationalMetadata
Can be used to retrieve the organizational metadata of the namespace.
Relations
Retrieves the list of organizational metadata for the namespace and its
namespace hierarchy.
TagPrefix
Returns the tag prefixes of the specified namespace.
Relations
Returns the tag prefixes of the specified namespace.
Modify the tag prefixes of the specified namespace.
core/policy
ClauseMatch
This API allows to pass a set of tags and find the objects that would match the
clause in a policy resolution.
Example
{ "clauses": [ [ "color=blue", "size=big" ], [ "color=red" ] ], "targetIdentity": "processingunit" }
Relations
Performs a clause matching.
Attributes
EnforcerRefresh
Sent to enforcers when a poke has been triggered using the
parameter ?notify=true. This is used to notify an enforcer of an
external change on the processing unit that must be processed.
Example
{ "debug": "Counters", "propagate": false, "refreshType": "Debug", "selector": [ [ "$namespace=/a/b" ] ] }
Relations
Create an enforcer refresh report.
Sends a enforcer refresh command.
Attributes
Set the debug information collected by the enforcer.
Default value:
"Counters"
NetworkRule
Represents an ingress or egress network rule.
Example
{ "action": "Allow", "logsDisabled": false, "observationEnabled": false }
Attributes
Type: boolean
Type: [][]string
Identifies the set of remote workloads that the rule relates to. The selector
will identify both processing units as well as external networks that match the
selector.
Policy
Represents the policy primitive used by all Microsegmentation policies.
Example
{ "disabled": false, "fallback": false, "name": "the name", "propagate": false, "propagationHidden": false, "protected": false, "type": "APIAuthorization" }
Relations
Retrieves the list of policy primitives.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Deletes the object with the given ID.
Parameters:
Retrieves the object with the given ID.
Attributes
Defines a set of actions that must be enforced when a dependency is met.
activeDuration [smh]$`]
Type: string
Defines for how long the policy will be active according to the
activeSchedule.
Type: string
Defines when the policy should be active using the cron notation.
The policy will be active for the given activeDuration.
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Type: [][]string
Represents set of entities that another entity depends on. As subjects,
objects are identified as logical operations on tags when a policy is defined.
Type: [][]string
Type of the policy.
PolicyRefresh
Sent to a client as a push event when a policy refresh is needed on their side.
PolicyRule
Allows services to retrieve a policy resolution (internal).
Example
{ "name": "the name", "propagated": false }
Relations
Retrieves the object with the given ID.
Attributes
Defines set of actions that must be enforced when a dependency is met.
ProcessingUnitRefresh
Sent to client when a poke has been triggered using the
parameter ?notify=true. This is used to notify a enforcer of an
external change on the processing unit must be processed.
Example
{ "debug": false, "pingEnabled": false, "pingIterations": 1, "pingMode": "Auto", "refreshPolicy": false, "traceApplicationConnections": false, "traceDuration": "10s", "traceIPTables": false, "traceNetworkConnections": false }
Relations
Sends a Processing Unit Refresh command.
Attributes
Type: boolean
Instructs the enforcer to send records for all
application-initiated connections for the target processing unit.
Type: string
Determines the length of the time interval that the trace must be
enabled, using Golang duration
syntax.
Default value:
"10s"
Type: boolean
Instructs the enforcer to send records for all
network-initiated connections for the target processing unit.
RenderedPolicy
Retrieve the aggregated policies applied to a particular processing unit.
Example
{ "defaultPUIncomingTrafficAction": "Reject", "defaultPUOutgoingTrafficAction": "Reject", "processingUnit": "{ \"name\": \"pu\", \"type\": \"Docker\", \"normalizedTags\": [ \"a=a\", \"b=b\" ] }" }
Relations
Render a policy for a processing unit.
Parameters:
- renderer (enum(v1 | v2)): Select the network policy renderer to use.
Retrieves the policies for the processing unit.
Parameters:
- renderer (enum(v1 | v2)): Select the network policy renderer to use.
Attributes
Type: string
The certificate associated with this processing unit. It will identify the
processing unit to any internal or external services.
The datapath type that this processing unit must implement according to
the rendered policy:
- Default: This policy is not making a decision for the datapath.
- Aporeto: The enforcer is managing and handling the datapath.
- EnvoyAuthorizer: The enforcer is serving Envoy-compatible gRPC APIs that for example can be used by an Envoy proxy to use the Microsegmentation PKI and implement Microsegmentation network policies. NOTE: The enforcer is not owning the datapath in this case. It is merely providing an authorizer API.
Type: processingunit
Can be set during a POST operation to render a policy on a processing unit
that has not been created yet.
core/processingunit
DataPathCertificate
Used by enforcer instances to retrieve various certificates used
for the datapath.
Example
{ "CSR": "-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----", "objectID": "5c83035648675400019ab901", "sessionID": "5c83035648675400019ab901", "type": "Service" }
Relations
Creates a new certificate for datapath.
Attributes
ProcessingUnit
A processing unit represents anything that can compute. It can be a Docker
container or a simple UNIX process. Processing units are created, updated, and
deleted by
the system as they come and go. You can only modify their tags. Processing units
use network policies to define which other processing units or external
networks they can communicate with and file access policies to define what file
paths they can use.
Example
{ "collectInfo": false, "datapathType": "Aporeto", "enforcementStatus": "Inactive", "name": "the name", "operationalStatus": "Initialized", "protected": false, "type": "Docker" }
Relations
Creates a new processing unit.
Deletes the processing unit with the given ID.
Parameters:
Retrieves the processing unit with the given ID.
Parameters:
Updates the processing unit with the given ID.
Returns the list of processing units that match the policy.
Returns the list of processing units affected by an infrastructure policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of processing units affected by a network policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of processing units affected by a network rule set policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of processing units referenced by the mapping.
Returns the list of processing units that depend on an service.
Retrieves the processing units that implement this service.
Retrieves the processing units affected by the vulnerability.
Create a ping probe.
Sends a poke empty object. This will send a snapshot of the processing unit to
the time series database.
Parameters:
- enforcementStatus (enum(Failed | Inactive | Active)): If set, changes the enforcement status of the processing unit alongside with the poke.
- forceFullPoke (boolean): If set, it will trigger a full poke (slower).
- notify (boolean): Can be sent to trigger a ProcessingUnitRefresh event that will be handled by the enforcer. If this is set, all other additional parameters will be ignored.
- status (enum(Initialized | Paused | Running | Stopped)): If set, changes the status of the processing unit alongside with the poke.
Sends a Processing Unit Refresh command.
Retrieves the policies for the processing unit.
Parameters:
- renderer (enum(v1 | v2)): Select the network policy renderer to use.
Retrieves the services used by a processing unit.
Retrieves the vulnerabilities affecting the processing unit.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Attributes
Type: string
The local PUID set by enforcer. Enforcer may create a local PU if it cannot
communicate with the Microsegmentation Console. When eventually the
Microsegmentation Console is able to create the PU, the clientLocalID will be
used to convert a CachedFlowReport containing a local PUID to a real FlowReport.
Type: map[string]string
Represents the latest information collected by the enforcer for this processing
unit.
Type: string
The Microsegmentation Console identifier managing this object. This property is mostly
useful when federating multiple Microsegmentation Consoles.
The datapath type that processing units are implementing:
- Aporeto: The enforcer is managing and handling the datapath.
- EnvoyAuthorizer: The enforcer is serving Envoy-compatible gRPC APIs that for example can be used by an Envoy proxy to use the Microsegmentation PKI and implement Microsegmentation network policies. NOTE: The enforcer is not owning the datapath in this case. It is merely providing an authorizer API.
Default value:
"Aporeto"