ALBWafPolicy (schema)

WafPolicy

Advanced load balancer WafPolicy object

Name Description Type Notes

_create_time Timestamp of resource creation EpochMsTimestamp Readonly
Sortable

_create_user ID of the user who created this resource string Readonly

_last_modified_time Timestamp of last modification EpochMsTimestamp Readonly
Sortable

_last_modified_user ID of the user who last modified this resource string Readonly

_links References related to this resource

The server will populate this field when returing the resource. Ignored on PUT and POST. array of ResourceLink Readonly

_protection Indicates protection status of this resource

Protection status is one of the following:
PROTECTED - the client who retrieved the entity is not allowed
to modify it.
NOT_PROTECTED - the client who retrieved the entity is allowed
to modify it
REQUIRE_OVERRIDE - the client who retrieved the entity is a super
user and can modify it, but only when providing
the request header X-Allow-Overwrite=true.
UNKNOWN - the _protection field could not be determined for this
entity.
string Readonly

_revision Generation of this resource config

The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. int

_schema Schema for this resource string Readonly

_self Link to this resource SelfResourceLink Readonly

_system_owned Indicates system owned resource boolean Readonly

allow_mode_delegation Allow mode delegation

Allow Rules to overwrite the policy mode.
This must be set if the policy mode is set to enforcement.
Default value when not specified in API or module is
interpreted by ALB Controller as true.
boolean Default: "True"

application_signatures Application signatures

Application Specific Signatures. ALBWafApplicationSignatures

children subtree for this type within policy tree

subtree for this type within policy tree containing nested elements.
array of ChildPolicyConfigResource
Children are not allowed for this type

confidence_override Confidence override

Configure thresholds for confidence labels. ALBAppLearningConfidenceOverride

created_by Created by

Creator name. string

crs_overrides Crs overrides

Override attributes for CRS rules. array of ALBWafRuleGroupOverrides

description Description of this resource string Maximum length: 1024
Sortable

display_name Identifier to use when displaying entity in logs or GUI

Defaults to ID if not set string Maximum length: 255
Sortable

enable_app_learning Enable app learning

Enable Application Learning for this WAF policy.
Default value when not specified in API or module is
interpreted by ALB Controller as false.
boolean Default: "False"

enable_auto_rule_updates Enable auto rule updates

Enable Application Learning based rule updates on the WAF
Profile.
Rules will be programmed in dedicated WAF learning group.
Default value when not specified in API or module is
interpreted by ALB Controller as true.
boolean Default: "True"

failure_mode Failure mode

WAF Policy failure mode.
This can be 'Open' or 'Closed'.
Enum options - WAF_FAILURE_MODE_OPEN,
WAF_FAILURE_MODE_CLOSED.
Default value when not specified in API or module is
interpreted by ALB Controller as WAF_FAILURE_MODE_OPEN.
ALBWafFailureMode Default: "WAF_FAILURE_MODE_OPEN"

id Unique identifier of this resource string Sortable

learning_params Learning params

Parameters for tuning Application learning. ALBAppLearningParams

marked_for_delete Indicates whether the intent object is marked for deletion

Intent objects are not directly deleted from the system when a delete
is invoked on them. They are marked for deletion and only when all the
realized entities for that intent object gets deleted, the intent object
is deleted. Objects that are marked for deletion are not returned in
GET call. One can use the search API to get these objects.
boolean Readonly
Default: "False"

markers Markers

List of labels to be used for granular RBAC.
Allowed in Basic edition, Essentials edition, Enterprise
edition.
array of ALBRoleFilterMatchLabel

min_confidence Min confidence

Minimum confidence label required for auto rule updates.
Enum options - CONFIDENCE_VERY_HIGH, CONFIDENCE_HIGH,
CONFIDENCE_PROBABLE, CONFIDENCE_LOW, CONFIDENCE_NONE.
Default value when not specified in API or module is
interpreted by ALB Controller as CONFIDENCE_VERY_HIGH.
ALBAppLearningConfidenceLabel Default: "CONFIDENCE_VERY_HIGH"

mode Mode

WAF Policy mode.
This can be detection or enforcement.
It can be overwritten by rules if allow_mode_delegation is
set.
Enum options - WAF_MODE_DETECTION_ONLY,
WAF_MODE_ENFORCEMENT.
Default value when not specified in API or module is
interpreted by ALB Controller as WAF_MODE_DETECTION_ONLY.
ALBWafMode Default: "WAF_MODE_DETECTION_ONLY"

overridden Indicates whether this object is the overridden intent object

Global intent objects cannot be modified by the user.
However, certain global intent objects can be overridden locally by use
of this property. In such cases, the overridden local values take
precedence over the globally defined values for the properties.
boolean Readonly
Default: "False"

paranoia_level Paranoia level

WAF Ruleset paranoia mode.
This is used to select Rules based on the paranoia-level
tag.
Enum options - WAF_PARANOIA_LEVEL_LOW,
WAF_PARANOIA_LEVEL_MEDIUM, WAF_PARANOIA_LEVEL_HIGH,
WAF_PARANOIA_LEVEL_EXTREME.
Default value when not specified in API or module is
interpreted by ALB Controller as WAF_PARANOIA_LEVEL_LOW.
ALBWafParanoiaLevel Default: "WAF_PARANOIA_LEVEL_LOW"

parent_path Path of its parent

Path of its parent string Readonly

path Absolute path of this object

Absolute path of this object string Readonly

positive_security_model Positive security model

The Positive Security Model.
This is used to describe how the request or parts of the
request should look like.
It is executed in the Request Body Phase of Avi WAF.
ALBWafPositiveSecurityModel

post_crs_groups Post crs groups

WAF Rules are categorized in to groups based on their
characterization.
These groups are created by the user and will be enforced
after the CRS groups.
array of ALBWafRuleGroup

pre_crs_groups Pre crs groups

WAF Rules are categorized in to groups based on their
characterization.
These groups are created by the user and will be enforced
before the CRS groups.
array of ALBWafRuleGroup

realization_id A unique identifier assigned by the system for realizing intent

This is a UUID generated by the system for realizing the entity object.
In most cases this should be same as 'unique_id' of the entity. However,
in some cases this can be different because of entities have migrated thier
unique identifier to NSX Policy intent objects later in the timeline and did
not use unique_id for realization. Realization id is helpful for users to
debug data path to correlate the configuration with corresponding intent.
string Readonly

relative_path Relative path of this object

Path relative from its parent string Readonly

resource_type Must be set to the value ALBWafPolicy string

tags Opaque identifiers meaningful to the API user array of Tag Maximum items: 30

unique_id A unique identifier assigned by the system

This is a UUID generated by the GM/LM to uniquely identify
entites in a federated environment. For entities that are
stretched across multiple sites, the same ID will be used
on all the stretched sites.
string Readonly

waf_crs_path Waf crs path

WAF core ruleset used for the CRS part of this Policy.
It is a reference to an object of type WafCRS.
string

waf_profile_path Waf profile path

WAF Profile for WAF policy.
It is a reference to an object of type WafProfile.
string Required

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
allow_mode_delegation	Allow mode delegation Allow Rules to overwrite the policy mode. This must be set if the policy mode is set to enforcement. Default value when not specified in API or module is interpreted by ALB Controller as true.	boolean	Default: "True"
application_signatures	Application signatures Application Specific Signatures.	ALBWafApplicationSignatures
children	subtree for this type within policy tree subtree for this type within policy tree containing nested elements.	array of ChildPolicyConfigResource Children are not allowed for this type
confidence_override	Confidence override Configure thresholds for confidence labels.	ALBAppLearningConfidenceOverride
created_by	Created by Creator name.	string
crs_overrides	Crs overrides Override attributes for CRS rules.	array of ALBWafRuleGroupOverrides
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enable_app_learning	Enable app learning Enable Application Learning for this WAF policy. Default value when not specified in API or module is interpreted by ALB Controller as false.	boolean	Default: "False"
enable_auto_rule_updates	Enable auto rule updates Enable Application Learning based rule updates on the WAF Profile. Rules will be programmed in dedicated WAF learning group. Default value when not specified in API or module is interpreted by ALB Controller as true.	boolean	Default: "True"
failure_mode	Failure mode WAF Policy failure mode. This can be 'Open' or 'Closed'. Enum options - WAF_FAILURE_MODE_OPEN, WAF_FAILURE_MODE_CLOSED. Default value when not specified in API or module is interpreted by ALB Controller as WAF_FAILURE_MODE_OPEN.	ALBWafFailureMode	Default: "WAF_FAILURE_MODE_OPEN"
id	Unique identifier of this resource	string	Sortable
learning_params	Learning params Parameters for tuning Application learning.	ALBAppLearningParams
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object gets deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
markers	Markers List of labels to be used for granular RBAC. Allowed in Basic edition, Essentials edition, Enterprise edition.	array of ALBRoleFilterMatchLabel
min_confidence	Min confidence Minimum confidence label required for auto rule updates. Enum options - CONFIDENCE_VERY_HIGH, CONFIDENCE_HIGH, CONFIDENCE_PROBABLE, CONFIDENCE_LOW, CONFIDENCE_NONE. Default value when not specified in API or module is interpreted by ALB Controller as CONFIDENCE_VERY_HIGH.	ALBAppLearningConfidenceLabel	Default: "CONFIDENCE_VERY_HIGH"
mode	Mode WAF Policy mode. This can be detection or enforcement. It can be overwritten by rules if allow_mode_delegation is set. Enum options - WAF_MODE_DETECTION_ONLY, WAF_MODE_ENFORCEMENT. Default value when not specified in API or module is interpreted by ALB Controller as WAF_MODE_DETECTION_ONLY.	ALBWafMode	Default: "WAF_MODE_DETECTION_ONLY"
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
paranoia_level	Paranoia level WAF Ruleset paranoia mode. This is used to select Rules based on the paranoia-level tag. Enum options - WAF_PARANOIA_LEVEL_LOW, WAF_PARANOIA_LEVEL_MEDIUM, WAF_PARANOIA_LEVEL_HIGH, WAF_PARANOIA_LEVEL_EXTREME. Default value when not specified in API or module is interpreted by ALB Controller as WAF_PARANOIA_LEVEL_LOW.	ALBWafParanoiaLevel	Default: "WAF_PARANOIA_LEVEL_LOW"
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
positive_security_model	Positive security model The Positive Security Model. This is used to describe how the request or parts of the request should look like. It is executed in the Request Body Phase of Avi WAF.	ALBWafPositiveSecurityModel
post_crs_groups	Post crs groups WAF Rules are categorized in to groups based on their characterization. These groups are created by the user and will be enforced after the CRS groups.	array of ALBWafRuleGroup
pre_crs_groups	Pre crs groups WAF Rules are categorized in to groups based on their characterization. These groups are created by the user and will be enforced before the CRS groups.	array of ALBWafRuleGroup
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated thier unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
resource_type	Must be set to the value ALBWafPolicy	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entites in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
waf_crs_path	Waf crs path WAF core ruleset used for the CRS part of this Policy. It is a reference to an object of type WafCRS.	string
waf_profile_path	Waf profile path WAF Profile for WAF policy. It is a reference to an object of type WafProfile.	string	Required