Skip to main content

Update CNNS Container and Host Policy

PUT 
/api/v32.07/policies/firewall/network
x-prisma-cloud-target-env: {"permission":"policyCNNF"}

Updates all container and host CNNS rules in a single shot. Updating all rules at the same time makes it possible to maintain strict ordering between rules.

The procedure to add, edit, or remove rules is:

  1. Get all rules using the GET endpoint.

    cURL Request

    Refer to the following example cURL command that retrieves a list of all rules, pretty-print the JSON response, and save the results to a file:

    $ curl -k \
      -u <USER> \
      -X PUT \
      -H "Content-Type:application/json" \
      -o <network_firewall_rules.json> \
      "https://<CONSOLE>/api/v<VERSION>/policies/firewall/network/container"

  2. Modify the JSON output according to your needs.

  3. Update rules by pushing the new JSON payload.

    cURL Request

    Refer to the following example cURL command that installs the rules defined in your network_firewall_rules.json file. Do not forget to specify the @ symbol.

    $ curl -k \
      -u <USER> \
      -X PUT \
      -H "Content-Type:application/json" \
      --data-binary "@network_firewall_rules.json" \
      "https://<CONSOLE>/api/v<VERSION>/policies/firewall/network/container"

Any previously installed rules are overwritten.

Request

Body

    _id string

    .

    containerEnabled boolean

    ContainerEnabled indicates whether container network firewall feature is enabled.

    containerRules object[]

    ContainerRules holds the container firewall rules.

  • Array [
    • disabled boolean

    Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).

    dst cnnf.EntityID (integer)

    EntityID represents the ID of each network firewall entity. 20 bits are used. Max legal value: 2^20-1

    effect common.Effect (string)

    Possible values: [allow,alert,prevent,monitor,]

    Effect is the effect that is used in the CNNF rule

    id cnnf.RuleID (integer)

    RuleID represents the ID of each container network firewall policy rule

    modified date-time

    Specifies the date and time when the rule was last modified.

    name string

    Name of the rule.

    notes string

    Describes any noteworthy points for a rule. You can include any text.

    owner string

    User who created or last modified the rule.

    ports object[]

    Ports are the entity port range specifications.

  • Array [
    • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
    • previousName string

    Previous name of the rule. Required for rule renaming.

    src cnnf.EntityID (integer)

    EntityID represents the ID of each network firewall entity. 20 bits are used. Max legal value: 2^20-1

  • ]
    • hostEnabled boolean

    HostEnabled indicates whether host network firewall feature is enabled.

    hostRules object[]

    HostRules holds the host firewall rules.

  • Array [
    • disabled boolean

    Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).

    dst cnnf.EntityID (integer)

    EntityID represents the ID of each network firewall entity. 20 bits are used. Max legal value: 2^20-1

    effect common.Effect (string)

    Possible values: [allow,alert,prevent,monitor,]

    Effect is the effect that is used in the CNNF rule

    id cnnf.RuleID (integer)

    RuleID represents the ID of each container network firewall policy rule

    modified date-time

    Specifies the date and time when the rule was last modified.

    name string

    Name of the rule.

    notes string

    Describes any noteworthy points for a rule. You can include any text.

    owner string

    User who created or last modified the rule.

    ports object[]

    Ports are the entity port range specifications.

  • Array [
    • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
    • previousName string

    Previous name of the rule. Required for rule renaming.

    src cnnf.EntityID (integer)

    EntityID represents the ID of each network firewall entity. 20 bits are used. Max legal value: 2^20-1

  • ]
    • modified date-time

    .

    networkEntities object[]

    NetworkEntities represents a list of network firewall entities

  • Array [
    • _id cnnf.EntityID (integer)

    EntityID represents the ID of each network firewall entity. 20 bits are used. Max legal value: 2^20-1

    allowAll object

    AllowAllConnections indicates if connections are allowed to/from any entity of the specified types e.g. if inbound contains the type subnet, the entity is allowed to receive connections from any subnet

    inbound cnnf.RuleEntityType (string)[]

    Possible values: [container,host,subnet,dns]

    Inbound indicates if connections are allowed from any entity of the specified types.

    outbound cnnf.RuleEntityType (string)[]

    Possible values: [container,host,subnet,dns]

    Outbound indicates if connections are allowed to any entity of the specified types.

    collections object[]

    Collections indicate the collection the entity is part of.

  • Array [
    • accountIDs string (string)[]

    List of account IDs.

    appIDs string (string)[]

    List of application IDs.

    clusters string (string)[]

    List of Kubernetes cluster names.

    color common.Color (string)

    Color is a hexadecimal representation of color code value

    containers string (string)[]

    List of containers.

    description string

    Free-form text.

    functions string (string)[]

    List of functions.

    hosts string (string)[]

    List of hosts.

    images string (string)[]

    List of images.

    labels string (string)[]

    List of labels.

    modified date-time

    Datetime when the collection was last modified.

    name string

    Collection name. Must be unique.

    namespaces string (string)[]

    List of Kubernetes namespaces.

    owner string

    User who created or last modified the collection.

    prisma boolean

    Indicates whether this collection originates from Prisma Cloud.

    system boolean

    Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).

  • ]
    • domains string (string)[]

    Domains is a list of domains.

    name string

    Name is the entity name.

    subnets object[]

    Subnets are the CIDR format network.

  • Array [
    • cidr string

    CIDR is the IP range of the defined entity.

    name string

    Name is the given name to represent the range.

  • ]
    • type cnnf.RuleEntityType (string)

    Possible values: [container,host,subnet,dns]

    RuleEntityType is the network firewall rule entity type

  • ]
    • owner string

    .

Responses

OK

Loading...