Traffic Data - Application Firewall Definition

Application Firewall Definition define the matching conditions and Actions to configure Application Firewall

Diagram

Classes

data_policy (sdwan.centralized_policies.definitions)

Name	Type	Constraint	Mandatory	Default Value
traffic_data	List	`[traffic_data]`	No

traffic_data (sdwan.centralized_policies.definitions.data_policy)

Name	Type	Constraint	Mandatory
name	String	Regex: `^[A-Za-z0-9\-_]{1,127}$`	Yes
description	String		Yes
default_action_type	Choice	`accept`, `drop`	Yes
sequences	List	`[sequences]`	No

sequences (sdwan.centralized_policies.definitions.data_policy.traffic_data)

Name	Type	Constraint	Mandatory	Default Value
base_action	Choice	`accept`, `drop`	Yes
id	Integer	min: `1`, max: `65534`	Yes
name	String		Yes
ip_type	Choice	`ipv4`, `ipv6`, `all`	No	`ipv4`
type	Choice	`custom`, `service_chaining`, `qos`, `application_firewall`, `traffic_engineering`	No	`custom`
match_criterias	Class	`[match_criterias]`	No
actions	Class	`[actions]`	No

match_criterias (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences)

Name	Type	Constraint	Mandatory
application_list	String	Regex: `^[A-Za-z0-9\-_]{1,32}$`	No
dns_application_list	String	Regex: `^[A-Za-z0-9\-_]{1,32}$`	No
dns	Choice	`request`, `response`	No
dscp	Integer	min: `0`, max: `63`	No
packet_length	Integer	min: `0`, max: `65535`	No
plp	Choice	`low`, `high`	No
protocols	List	Integer[min: `0`, max: `255`]	No
source_data_prefix_list	String	Regex: `^[A-Za-z0-9\-_]{1,32}$`	No
source_data_prefix	String		No
source_ports	List	Integer[min: `0`, max: `65535`]	No
source_port_ranges	List	`[source_port_ranges]`	No
destination_data_prefix_list	String	Regex: `^[A-Za-z0-9\-_]{1,32}$`	No
destination_data_prefix	String		No
destination_ports	List	Integer[min: `0`, max: `65535`]	No
destination_port_ranges	List	`[destination_port_ranges]`	No
tcp	Choice	`syn`	No
traffic_to	Choice	`access`, `core`, `service`	No
destination_region	Choice	`primary-region`, `secondary-region`, `other-region`	No

actions (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences)

Name	Type	Constraint	Mandatory
counter_name	String	Regex: `^[A-Za-z0-9\-_]{1,20}$`	No
log	Boolean	`true`, `false`	No
cflowd	Boolean	`true`, `false`	No
sig	Class	`[sig]`	No
redirect_dns	Class	`[redirect_dns]`	No
loss_correction	Class	`[loss_correction]`	No
nat_pool	Integer	min: `1`, max: `31`	No
nat_vpn	Class	`[nat_vpn]`	No
appqoe_optimization	Class	`[appqoe_optimization]`	No
dscp	Integer	min: `0`, max: `63`	No
forwarding_class	String	min: `1`, max: `32`	No
local_tloc_list	Class	`[local_tloc_list]`	No
next_hop	Class	`[next_hop]`	No
preferred_color_group	String	Regex: `^[A-Za-z0-9\-_]{1,32}$`	No
policer_list	String	Regex: `^[A-Za-z0-9\-_]{1,32}$`	No
service	Class	`[service]`	No
tloc	Class	`[tloc]`	No
tloc_list	String	Regex: `^[A-Za-z0-9\-_]{1,32}$`	No
vpn	Integer	min: `0`, max: `65530`	No

source_port_ranges (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.match_criterias)

Name	Type	Constraint	Mandatory	Default Value
from	Integer	min: `0`, max: `65535`	Yes
to	Integer	min: `0`, max: `65535`	Yes

destination_port_ranges (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.match_criterias)

Name	Type	Constraint	Mandatory	Default Value
from	Integer	min: `0`, max: `65535`	Yes
to	Integer	min: `0`, max: `65535`	Yes

sig (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Name	Type	Constraint	Mandatory	Default Value
enabled	Boolean	`true`, `false`	Yes
fallback_to_routing	Boolean	`true`, `false`	No

redirect_dns (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`host`, `umbrella`, `ipAddress`	Yes
ip_address	IP		No

loss_correction (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Name	Type	Constraint	Mandatory	Default Value
type	Choice	`fecAdaptive`, `fecAlways`, `packetDuplication`	Yes
loss_threshold_percentage	Integer	min: `1`, max: `5`	No

nat_vpn (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Name	Type	Constraint	Mandatory	Default Value
vpn_id	Integer	min: `0`, max: `65530`	No
nat_vpn_fallback	Boolean	`true`, `false`	No

appqoe_optimization (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Name	Type	Constraint	Mandatory
tcp	Boolean	`true`, `false`	No
dre	Boolean	`true`, `false`	No
service_node_group	String		No

local_tloc_list (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Name	Type	Constraint	Mandatory
colors	List	Choice[`default`, `mpls`, `metro-ethernet`, `biz-internet`, `public-internet`, `lte`, `3g`, `red`, `green`, `blue`, `gold`, `silver`, `bronze`, `custom1`, `custom2`, `custom3`, `private1`, `private2`, `private3`, `private4`, `private5`, `private6`]	Yes
encaps	List	Choice[`ipsec`, `gre`]	No
restrict	Boolean	`true`, `false`	No

next_hop (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Name	Type	Constraint	Mandatory	Default Value
ip_address	IP		Yes
when_next_hop_is_not_available	Choice	`route_table_entry`	No

service (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Name	Type	Constraint	Mandatory
type	Choice	`appqoe`, `FW`, `IDP`, `IDS`, `netsvc1`, `netsvc2`, `netsvc3`, `netsvc4`, `netsvc5`	Yes
vpn	Integer	min: `0`, max: `65530`	No
tloc	Class	`[tloc]`	No
tloc_list	String	Regex: `^[A-Za-z0-9\-_]{1,32}$`	No
local	Boolean	`true`, `false`	No
restrict	Boolean	`true`, `false`	No

tloc (sdwan.centralized_policies.definitions.data_policy.traffic_data.sequences.actions)

Name	Type	Constraint	Mandatory
ip	IP		Yes
color	Choice	`default`, `mpls`, `metro-ethernet`, `biz-internet`, `public-internet`, `lte`, `3g`, `red`, `green`, `blue`, `gold`, `silver`, `bronze`, `custom1`, `custom2`, `custom3`, `private1`, `private2`, `private3`, `private4`, `private5`, `private6`	Yes
encap	Choice	`ipsec`, `gre`	Yes

Examples

sdwan:
  centralized_policies:
    definitions:
      data_policy:
        traffic_data:
          - name: test_policy
            description: test_policy_description
            default_action_type: accept
            sequences:
              - base_action: drop
                id: 4
                name: rule4
                ip_type: ipv4
                type: application_firewall
                match_criterias:
                  application_list: APP-LIST-TD-TEST2
                  dscp: 54
                  packet_length: 1150
                  plp: high
                  protocols:
                    - 89
                    - 90
                    - 91
                  source_data_prefix_list: PREFIX-LIST-TD-TEST2
                  source_data_prefix: 10.2.1.0/24
                  source_ports:
                    - 676
                    - 53
                  source_port_ranges:
                    - from: 1001
                      to: 2000
                    - from: 3001
                      to: 4000
                  destination_data_prefix_list: PREFIX-LIST-TD-TEST1
                  destination_data_prefix: 10.1.1.0/24
                  destination_ports:
                    - 676
                    - 53
                  destination_port_ranges:
                    - from: 1001
                      to: 2000
                    - from: 3001
                      to: 4000
                  tcp: 'syn'
                actions:
                  log: true
                  counter_name: LOGGER-TD-TEST2