Update CNNS Container and Host Policy

PUT 
/api/v32.04/policies/firewall/network

x-prisma-cloud-target-env: {"permission":"policyCNNF","saas":true,"self-hosted":true}
x-public: true

Updates all container and host CNNS rules in a single shot. Updating all rules at the same time makes it possible to maintain strict ordering between rules.

The procedure to add, edit, or remove rules is:

1. Get all rules using the GET endpoint.

   cURL Request

   Refer to the following example cURL command that retrieves a list of all rules, pretty-print the JSON response, and save the results to a file:

   $ curl -k \
     -u <USER> \
     -X PUT \
     -H "Content-Type:application/json" \
     -o <network_firewall_rules.json> \
     "https://<CONSOLE>/api/v<VERSION>/policies/firewall/network/container"

2. Modify the JSON output according to your needs.

3. Update rules by pushing the new JSON payload.

   cURL Request

   Refer to the following example cURL command that installs the rules defined in your network_firewall_rules.json file. Do not forget to specify the @ symbol.

   $ curl -k \
     -u <USER> \
     -X PUT \
     -H "Content-Type:application/json" \
     --data-binary "@network_firewall_rules.json" \
     "https://<CONSOLE>/api/v<VERSION>/policies/firewall/network/container"

Any previously installed rules are overwritten.

Request

application/json

Body

_id string

.

containerEnabled boolean

ContainerEnabled indicates whether container network firewall feature is enabled.

containerRules object[]
ContainerRules holds the container firewall rules.
Array [
disabled boolean
Indicates if the rule is currently disabled (true) or not (false).
dst cnnf.EntityID (integer)
EntityID represents the ID of each network firewall entity. 20 bits are used. Max legal value: 2^20-1
effect common.Effect (string)
Possible values: [allow,alert,prevent,monitor,]
Effect is the effect that is used in the CNNF rule
id cnnf.RuleID (integer)
RuleID represents the ID of each container network firewall policy rule
modified date-time
Datetime when the rule was last modified.
name string
Name of the rule.
notes string
Free-form text.
owner string
User who created or last modified the rule.
ports object[]
Ports are the entity port range specifications.
Array [
deny boolean
Deny indicates whether the connection is denied.
end integer
.
start integer
.
]
previousName string
Previous name of the rule. Required for rule renaming.
src cnnf.EntityID (integer)
EntityID represents the ID of each network firewall entity. 20 bits are used. Max legal value: 2^20-1
]
hostEnabled boolean

HostEnabled indicates whether host network firewall feature is enabled.

hostRules object[]
HostRules holds the host firewall rules.
Array [
disabled boolean
Indicates if the rule is currently disabled (true) or not (false).
dst cnnf.EntityID (integer)
EntityID represents the ID of each network firewall entity. 20 bits are used. Max legal value: 2^20-1
effect common.Effect (string)
Possible values: [allow,alert,prevent,monitor,]
Effect is the effect that is used in the CNNF rule
id cnnf.RuleID (integer)
RuleID represents the ID of each container network firewall policy rule
modified date-time
Datetime when the rule was last modified.
name string
Name of the rule.
notes string
Free-form text.
owner string
User who created or last modified the rule.
ports object[]
Ports are the entity port range specifications.
Array [
deny boolean
Deny indicates whether the connection is denied.
end integer
.
start integer
.
]
previousName string
Previous name of the rule. Required for rule renaming.
src cnnf.EntityID (integer)
EntityID represents the ID of each network firewall entity. 20 bits are used. Max legal value: 2^20-1
]
modified date-time

.

networkEntities object[]
NetworkEntities represents a list of network firewall entities
Array [
_id cnnf.EntityID (integer)
EntityID represents the ID of each network firewall entity. 20 bits are used. Max legal value: 2^20-1
allowAll object
AllowAllConnections indicates if connections are allowed to/from any entity of the specified types e.g. if inbound contains the type subnet, the entity is allowed to receive connections from any subnet
inbound cnnf.RuleEntityType (string)[]
Possible values: [container,host,subnet,dns]
Inbound indicates if connections are allowed from any entity of the specified types.
outbound cnnf.RuleEntityType (string)[]
Possible values: [container,host,subnet,dns]
Outbound indicates if connections are allowed to any entity of the specified types.
collections object[]
Collections indicate the collection the entity is part of.
Array [
accountIDs string (string)[]
List of account IDs.
appIDs string (string)[]
List of application IDs.
clusters string (string)[]
List of Kubernetes cluster names.
color common.Color (string)
Color is a hexadecimal representation of color code value
containers string (string)[]
List of containers.
description string
Free-form text.
functions string (string)[]
List of functions.
hosts string (string)[]
List of hosts.
images string (string)[]
List of images.
labels string (string)[]
List of labels.
modified date-time
Datetime when the collection was last modified.
name string
Collection name. Must be unique.
namespaces string (string)[]
List of Kubernetes namespaces.
owner string
User who created or last modified the collection.
prisma boolean
Indicates whether this collection originates from Prisma Cloud.
system boolean
Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).
]
domains string (string)[]
Domains is a list of domains.
name string
Name is the entity name.
subnets object[]
Subnets are the CIDR format network.
Array [
cidr string
CIDR is the IP range of the defined entity.
name string
Name is the given name to represent the range.
]
type cnnf.RuleEntityType (string)
Possible values: [container,host,subnet,dns]
RuleEntityType is the network firewall rule entity type
]
owner string

.

Responses

200

OK

default

Loading...