Cisco Cisco Security Manager 4.7 Guía Del Usuario
Cisco Security Manager 4.7 API Specification (Version 2.0)
OL- 32164-01
Page 183
3.3.1 DeviceAccessRuleFirewallPolicy
The details given below are similar for deviceAccessRuleFirewallPolicy and
deviceAccessRuleUnifiedFirewallPolicy. In the case of inherited policies on the device, the local policies can be
modified by using the add/modify/delete byGIDs methods, but the other policies (from which it is inheriting) need
to be modified by using the add/modify/delete byName methods. Because each rule has the policy inheritance
information, it is easy to determine which method needs to be used. Also, the GID element should not be present
while adding or creating a new access-list entry; for modification and deletion cases, GID is mandatory. To
understand the individual elements please see Section
deviceAccessRuleUnifiedFirewallPolicy. In the case of inherited policies on the device, the local policies can be
modified by using the add/modify/delete byGIDs methods, but the other policies (from which it is inheriting) need
to be modified by using the add/modify/delete byName methods. Because each rule has the policy inheritance
information, it is easy to determine which method needs to be used. Also, the GID element should not be present
while adding or creating a new access-list entry; for modification and deletion cases, GID is mandatory. To
understand the individual elements please see Section
The following points needs to be kept in mind during the write operations:
1. The position to insert the rule is determined by the orderID that is given in the request XML. The orderID given
in the request must be present in the already-exisiting rule, and the add operation will push the existing rule with the
given orderID to a position lower and insert the requested rule in the given position. If no orderID is given (e.g.,
orderID element is not present), then the rule is inserted in the last position.
in the request must be present in the already-exisiting rule, and the add operation will push the existing rule with the
given orderID to a position lower and insert the requested rule in the given position. If no orderID is given (e.g.,
orderID element is not present), then the rule is inserted in the last position.
2. If the rule needs to be inserted within a section, then the name of the section can be given in the request, and if no
orderID is given, then the rule will be inserted as the last rule in the section. The rules can also be inserted within a
section by giving the proper orderID without giving the section name.
orderID is given, then the rule will be inserted as the last rule in the section. The rules can also be inserted within a
section by giving the proper orderID without giving the section name.
3. In the case of a bulk request, it is sufficient for the first rule to have the proper orderID; the remaining rules in
the request are added in the subsequent lower positions. Rules cannot be inserted in non-contiguous positions in a
single bulk request but can be achieved by using more than one add request.
the request are added in the subsequent lower positions. Rules cannot be inserted in non-contiguous positions in a
single bulk request but can be achieved by using more than one add request.
4. If a requested rule that is a global rule is given an orderID that is higher than an interface-specific rule, then the
add method will throw an error message.
add method will throw an error message.
5. In a single bulk request, global and interface-specific rules cannot both be added.
6. In the case of shared policies in a single request, rules cannot be added to both mandatory and default sections.
7. Sections cannot be created or edited via the APIs in Version 2.0.
8. More than one rule rule can be modified/deleted by using a single bulk request.
9. To add a global access rule, the gid value under <interfaceRoleObjectGIDs> should be 213.
10. If user-defined names are required for access lists, then FirewallACLSettingsPolicy should be used.
3.3.2 FirewallACLSettingsPolicy
This policy is used mainly for giving user-defined names for the access list. For details of the policy, please see
Section
Section
213.