Техническое Руководство для Cisco Cisco Security Manager 3.3
Cisco Security Manager 4.4 API Specification (Version 1.1)
OL- 29074-01
Page 45
3.1.4 PolicyObject Derived Classes
This section and sub-sections define the supported PolicyObject classes for this API.
3.1.4.1 NetworkPolicyObject
A NetworkPolicyObject extends from the BasePolicyObject class and inherits all its attributes. A
NetworkPolicyObject defines an IPv4 address, network or range.
NetworkPolicyObject defines an IPv4 address, network or range.
Policy definitions reference the NetworkPolicyObject via the gid value. The inherited "subtype" attribute defines
the type of IPv4 data contained. The allowable values for subtype for a NetworkPolicyObject are “Host”,
“Network”, “Address Range”, “FQDN” and “Group”. The contents of a NetworkPolicyObject can also be “empty”
in some cases when the inherited isGroup attribute is set to true (and subtype is “Group”). In such cases the
NetworkPolicyObject is itself a container reference to “other Network Policy Objects”.
the type of IPv4 data contained. The allowable values for subtype for a NetworkPolicyObject are “Host”,
“Network”, “Address Range”, “FQDN” and “Group”. The contents of a NetworkPolicyObject can also be “empty”
in some cases when the inherited isGroup attribute is set to true (and subtype is “Group”). In such cases the
NetworkPolicyObject is itself a container reference to “other Network Policy Objects”.
The list of gid values for such a PolicyObject is obtained from the refs inherited attribute. Also a “Group”
NetworkPolicyObject can sometimes also contain multiple IPv4Data elements denoting literal IPv4 address,
network or ranges. The combinations of data from the refs attribute references and the IPv4Data elements denote the
complete group of addresses the policy object references.
NetworkPolicyObject can sometimes also contain multiple IPv4Data elements denoting literal IPv4 address,
network or ranges. The combinations of data from the refs attribute references and the IPv4Data elements denote the
complete group of addresses the policy object references.
Element
Type
Comment
ipv4Data
String
Defines a specific IPv4 data like address, range or network.
ipData
String
Defines a specific IP data like address, range or network.It can be both
IPv4 and IPv6
IPv4 and IPv6
fqdnData
Complex
Contains Fully Qualified Domain Name (FQDN) if this is a FQDN
type NetworkPolicyObjects
type NetworkPolicyObjects
fqdnData.value
String
The FQDN string
fqdnData.isIPv4Only
boolean
If true, the command generated and sent to the device contains the “v4”
parameter.
parameter.
Table 21: NetworkPolicyObject Class Definition
NOTE: From API version 1.1, a new tag called <ipData> has been added to the Network Object definition.
Network objects referenced in legacy policies like DeviceAccessRuleFirewallPolicy will continue to use
<ipv4Data> as these policies only reference IPv4 addresses. However, newer policies like
DeviceAccessRuleUnifiedFirewallPolicy will use the <ipData> tag in the policy. This is because an <ipData> tag
can contain both IPv4 and IPv6 addresses.
Network objects referenced in legacy policies like DeviceAccessRuleFirewallPolicy will continue to use
<ipv4Data> as these policies only reference IPv4 addresses. However, newer policies like
DeviceAccessRuleUnifiedFirewallPolicy will use the <ipData> tag in the policy. This is because an <ipData> tag
can contain both IPv4 and IPv6 addresses.