cloud_firewall_rules¶
The following methods allow for interaction with the ZIA Cloud Firewall Policies API endpoints.
Methods are accessible via zia.cloud_firewall_rules
Copyright (c) 2023, Zscaler Inc.
Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- class FirewallPolicyAPI¶
Bases:
APIClient- add_rule(**kwargs)¶
Adds a new firewall filter rule.
- Parameters:
- Keyword Arguments:
order (str) – Rule order, defaults to the bottom.
rank (str) – Admin rank of the rule.
state (str) – Rule state (‘ENABLED’ or ‘DISABLED’).
description (str) – Rule description.
src_ips (list) – Source IPs for the rule. Accepts IP addresses or CIDR.
dest_addresses (list) – Destination IPs for the rule. Accepts IP addresses or CIDR.
dest_ip_categories (list) – IP address categories for the rule.
dest_countries (list) – Destination countries for the rule.
predefined (bool) – Indicates that the rule is predefined by using a true value
default_rule (bool) – Indicates whether the rule is the Default Cloud IPS Rule or not
enable_full_logging (bool) – If True, enables full logging.
nw_applications (list) – Network service applications for the rule.
app_services (list) – IDs for application services for the rule.
app_service_groups (list) – IDs for app service groups.
departments (list) – IDs for departments the rule applies to.
dest_ip_groups (list) – IDs for destination IP groups.
dest_ipv6_groups (list) – IDs for destination IPV6 groups.
devices (list) – IDs for devices managed by Zscaler Client Connector.
device_groups (list) – IDs for device groups managed by Zscaler Client Connector.
groups (list) – IDs for groups the rule applies to.
labels (list) – IDs for labels the rule applies to.
locations (list) – IDs for locations the rule applies to.
location_groups (list) – IDs for location groups.
nw_application_groups (list) – IDs for network application groups.
nw_services (list) – IDs for network services the rule applies to.
nw_service_groups (list) – IDs for network service groups.
time_windows (list) – IDs for time windows the rule applies to.
users (list) – IDs for users the rule applies to.
- Returns:
New firewall filter rule resource record.
- Return type:
Tuple
Examples
Add a rule to allow all traffic to Google DNS:
>>> added_rule, _, error = client.zia.cloud_firewall_rules.add_rule( ... name=f"NewRule {random.randint(1000, 10000)}", ... description=f"NewRule {random.randint(1000, 10000)}", ... enabled=True, ... order=1, ... rank=7, ... action='ALLOW', ... enable_full_logging=True, ... src_ips=['192.168.100.0/24', '192.168.200.1'], ... dest_addresses=['3.217.228.0-3.217.231.255', 'server1.acme.com', '*.acme.com'], ... exclude_src_countries=True, ... source_countries=['COUNTRY_AD', 'COUNTRY_AE', 'COUNTRY_AF'], ... dest_countries=['COUNTRY_BR', 'COUNTRY_CA', 'COUNTRY_US'], ... dest_ip_categories=['BOTNET', 'MALWARE_SITE', 'PHISHING', 'SUSPICIOUS_DESTINATION'], ... device_trust_levels=['UNKNOWN_DEVICETRUSTLEVEL', 'LOW_TRUST', 'MEDIUM_TRUST', 'HIGH_TRUST'], ... ) >>> if error: ... print(f"Error adding rule: {error}") ... return ... print(f"Rule added successfully: {added_rule.as_dict()}")
- delete_rule(rule_id)¶
Deletes the specified firewall filter rule.
- Parameters:
rule_id (str) – The unique identifier for the firewall filter rule.
- Returns:
The status code for the operation.
- Return type:
Examples
>>> _, _, error = client.zia.cloud_firewall_rules.delete_rule('54528') >>> if error: ... print(f"Error deleting rule: {error}") ... return ... print(f"Rule with ID {updated_rule.id} deleted successfully.")
- get_rule(rule_id)¶
Returns information for the specified firewall filter rule.
- Parameters:
rule_id (str) – The unique identifier for the firewall filter rule.
- Returns:
The resource record for the firewall filter rule.
- Return type:
Tuple
Examples
>>> fetched_rule, _, error = client.zia.cloud_firewall_rules.get_rule('1456549') >>> if error: ... print(f"Error fetching rule by ID: {error}") ... return ... print(f"Fetched rule by ID: {fetched_rule.as_dict()}")
- list_rules(query_params=None)¶
List firewall rules in your organization. If the search parameter is provided, the function filters the rules client-side.
- Parameters:
{dict} (query_params) – Map of query parameters for the request.
[query_params.rule_name]{str}: Filters rules based on rule names using the specified keywords[query_params.rule_label]{str}: Filters rules based on rule labels using the specified keywords[query_params.rule_order]{str}: Filters rules based on rule order using the specified keywords[query_params.rule_description]{str}: Filters rules based on descriptions using the specified keywords[query_params.rule_action]{str}: Filters rules based on rule actions using the specified keywords[query_params.location]{str}: Filters rules based on locations using the specified keywords[query_params.department]{str}: Filters rules based on user departments using the specified keywords[query_params.group]{str}: Filters rules based on user groups using the specified keywords[query_params.user]{str}: Filters rules based on users using the specified keywords[query_params.device]{str}: Filters rules based on devices using the specified keywords[query_params.device_group]{str}: Filters rules based on device groups using the specified keywords[query_params.device_trust_level]{str}: Filters rules based on device trust levels using keywords[query_params.src_ips]{str}: Filters rules based on source IP addresses using the specified keywords[query_params.dest_addresses]{str}: Filters rules based on destination IP using the specified keywords[query_params.src_ip_groups]{str}: Filters rules based on source IP groups using the specified keywords[query_params.dest_ip_groups]{str}: Filters rules based on destination groups using the specified keywords[query_params.nw_application]{str}: Filters rules based on network applications using keywords[query_params.nw_services]{str}: Filters rules based on network services using the specified keywords[query_params.dest_ip_categories]{str}: Filters rules based on destination URL categories using keywords[query_params.page]{str}: Specifies the page offset[query_params.page_size]{str}: Specifies the page size. Default size is set to 5,000 if not specified.- Returns:
A tuple containing (list of firewall rules instances, Response, error)
- Return type:
Examples: >>> rules, response, error = zia.zia.cloud_firewall_rules.list_rules() … pprint(rule)
>>> rules, response, error = zia.zia.cloud_firewall_rules.list_rules( query_params={"search": "Block malicious IPs and domains"}) ... pprint(rule)
- update_rule(rule_id, **kwargs)¶
Updates an existing firewall filter rule.
- Parameters:
rule_id (str) – The unique ID for the rule that is being updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
order (str) – Rule order, defaults to the bottom.
rank (str) – Admin rank of the rule.
state (str) – Rule state (‘ENABLED’ or ‘DISABLED’).
description (str) – Rule description.
src_ips (list) – Source IPs for the rule. Accepts IP addresses or CIDR.
dest_addresses (list) – Destination IPs for the rule. Accepts IP addresses or CIDR.
dest_ip_categories (list) – IP address categories for the rule.
dest_countries (list) – Destination countries for the rule.
predefined (bool) – Indicates that the rule is predefined by using a true value
default_rule (bool) – Indicates whether the rule is the Default Cloud IPS Rule or not
enable_full_logging (bool) – If True, enables full logging.
nw_applications (list) – Network service applications for the rule.
app_services (list) – IDs for application services for the rule.
app_service_groups (list) – IDs for app service groups.
departments (list) – IDs for departments the rule applies to.
dest_ip_groups (list) – IDs for destination IP groups.
dest_ipv6_groups (list) – IDs for destination IPV6 groups.
devices (list) – IDs for devices managed by Zscaler Client Connector.
device_groups (list) – IDs for device groups managed by Zscaler Client Connector.
groups (list) – IDs for groups the rule applies to.
labels (list) – IDs for labels the rule applies to.
locations (list) – IDs for locations the rule applies to.
location_groups (list) – IDs for location groups.
nw_application_groups (list) – IDs for network application groups.
nw_services (list) – IDs for network services the rule applies to.
nw_service_groups (list) – IDs for network service groups.
time_windows (list) – IDs for time windows the rule applies to.
users (list) – IDs for users the rule applies to.
- Returns:
The updated firewall filter rule resource record.
- Return type:
Tuple
Examples
Update the destination IP addresses for a rule:
>>> added_rule, _, error = client.zia.cloud_firewall_rules.update_rule( ... rule_id='12455' ... name=f"NewRule {random.randint(1000, 10000)}", ... description=f"NewRule {random.randint(1000, 10000)}", ... enabled=True, ... order=1, ... rank=7, ... action='ALLOW', ... enable_full_logging=True, ... src_ips=['192.168.100.0/24', '192.168.200.1'], ... dest_addresses=['3.217.228.0-3.217.231.255', 'server1.acme.com', '*.acme.com'], ... exclude_src_countries=True, ... source_countries=['COUNTRY_AD', 'COUNTRY_AE', 'COUNTRY_AF'], ... dest_countries=['COUNTRY_BR', 'COUNTRY_CA', 'COUNTRY_US'], ... dest_ip_categories=['BOTNET', 'MALWARE_SITE', 'PHISHING', 'SUSPICIOUS_DESTINATION'], ... device_trust_levels=['UNKNOWN_DEVICETRUSTLEVEL', 'LOW_TRUST', 'MEDIUM_TRUST', 'HIGH_TRUST'], ... ) >>> if error: ... print(f"Error adding rule: {error}") ... return ... print(f"Rule added successfully: {added_rule.as_dict()}")