User Defined ACL¶
Overview¶
This document describes the API to configure User Defined ACL and its properties in BIG-IQ.
REST Endpoint: /mgmt/cm/access/working-config/apm/acl¶
Requests¶
GET /mgmt/cm/access/working-config/apm/acl/<id>¶
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Type | Description |
---|---|---|
aclOrder | number | Specify the order of this ACL relative to others. |
entries | array_of_objects | Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server. |
action | string | For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays. |
srcStartPort | number | Specify a port or range of ports. Source start port is required. |
srcEndPort | number | Specify a port or range of ports. |
dstStartPort | number | Specify a port or range of ports. Destination start port is required. |
dstEndPort | number | Specify a port or range of ports. |
dstSubnet | string | Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required. |
srcSubnet | string | Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required. |
host | string | This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?). |
log | string | Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur. |
paths | string | This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name. |
protocol | number | This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies. |
scheme | string | This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates. |
pathMatchCase | string | To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’ |
type | string | Specifies Static or Dynamic to create a static or dynamic access control list. |
name | string | The name of the object |
partition | string | The BIG-IP partition where the object should be placed |
subPath | string | The BIG-IP folder where the object should be placed |
id | string | An ID of an application |
lsoDeviceReference | reference | Reference to the device |
id | string | Id of the device. |
name | string | Device name. Typically it is device’s hostname. |
kind | string | Kind of the device. |
machineId | string | Machine ID of the device. |
link | string | URI link of the reference. |
isLsoShared | boolean | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | Reference to the device group. |
name | string | Name of the resource |
kind | string | The kind of the resource. |
link | string | URI link of the reference. |
description | string | The description of an Application. |
kind | string | The kind of an application. |
selfLink | string | The selfLink of an application. |
Error Response¶
HTTP/1.1 400 Bad Request
This response status is related to error conditions. A detailed error message displays in the response.
HTTP/1.1 401 Unauthorized
This response happens when access is denied due to invalid credentials(no Permission).
Permissions¶
Role | Allow |
---|---|
Application_Editor | Yes |
Service_Catalog_Viewer | Yes |
Service_Catalog_Editor | Yes |
Trust_Discovery_Import | Yes |
Access_View | Yes |
Access_Edit | Yes |
Access_Manager | Yes |
Application_Manager | Yes |
Application_Viewer | Yes |
Trust_Discovery_Import | Yes |
Access_Deploy | Yes |
Access_Policy_Editor | Yes |
POST /mgmt/cm/access/working-config/apm/acl¶
Request Parameters¶
Name | Type | Required | Description |
---|---|---|---|
aclOrder | number | False | Specify the order of this ACL relative to others. |
entries | array_of_objects | False | Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server. |
action | string | True | For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays. |
srcStartPort | number | True | Specify a port or range of ports. Source start port is required. |
srcEndPort | number | False | Specify a port or range of ports. |
dstStartPort | number | True | Specify a port or range of ports. Destination start port is required. |
dstEndPort | number | False | Specify a port or range of ports. |
dstSubnet | string | True | Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required. |
srcSubnet | string | True | Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required. |
host | string | False | This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?). |
log | string | False | Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur. |
paths | string | False | This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name. |
protocol | number | False | This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies. |
scheme | string | False | This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates. |
pathMatchCase | string | False | To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’ |
type | string | False | Specifies Static or Dynamic to create a static or dynamic access control list. |
name | string | True | The name of the object |
partition | string | True | The BIG-IP partition where the object should be placed |
subPath | string | False | The BIG-IP folder where the object should be placed |
lsoDeviceReference | reference | True | Reference to the device |
id | string | False | Id of the device. |
link | string | False | URI link of the reference. |
isLsoShared | boolean | True | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | False | Reference to the device group. |
link | string | False | URI link of the reference. |
description | string | False | The description of an Application. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Type | Description |
---|---|---|
aclOrder | number | Specify the order of this ACL relative to others. |
entries | array_of_objects | Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server. |
action | string | For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays. |
srcStartPort | number | Specify a port or range of ports. Source start port is required. |
srcEndPort | number | Specify a port or range of ports. |
dstStartPort | number | Specify a port or range of ports. Destination start port is required. |
dstEndPort | number | Specify a port or range of ports. |
dstSubnet | string | Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required. |
srcSubnet | string | Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required. |
host | string | This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?). |
log | string | Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur. |
paths | string | This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name. |
protocol | number | This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies. |
scheme | string | This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates. |
pathMatchCase | string | To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’ |
type | string | Specifies Static or Dynamic to create a static or dynamic access control list. |
name | string | The name of the object |
partition | string | The BIG-IP partition where the object should be placed |
subPath | string | The BIG-IP folder where the object should be placed |
id | string | An ID of an application |
lsoDeviceReference | reference | Reference to the device |
id | string | Id of the device. |
name | string | Device name. Typically it is device’s hostname. |
kind | string | Kind of the device. |
machineId | string | Machine ID of the device. |
link | string | URI link of the reference. |
isLsoShared | boolean | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | Reference to the device group. |
name | string | Name of the resource |
kind | string | The kind of the resource. |
link | string | URI link of the reference. |
description | string | The description of an Application. |
kind | string | The kind of an application. |
selfLink | string | The selfLink of an application. |
Error Response¶
HTTP/1.1 400 Bad Request
This response status is related to error conditions. A detailed error message displays in the response.
HTTP/1.1 401 Unauthorized
This response happens when access is denied due to invalid credentials(no Permission).
Permissions¶
Role | Allow |
---|---|
Application_Editor | No |
Service_Catalog_Viewer | No |
Service_Catalog_Editor | No |
Trust_Discovery_Import | No |
Access_View | No |
Access_Edit | Yes |
Access_Manager | Yes |
Application_Manager | No |
Application_Viewer | No |
Trust_Discovery_Import | No |
Access_Deploy | No |
Access_Policy_Editor | No |
PUT /mgmt/cm/access/working-config/apm/acl/<id>¶
Request Parameters¶
Name | Type | Required | Description |
---|---|---|---|
aclOrder | number | False | Specify the order of this ACL relative to others. |
entries | array_of_objects | False | Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server. |
action | string | False | For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays. |
srcStartPort | number | False | Specify a port or range of ports. Source start port is required. |
srcEndPort | number | False | Specify a port or range of ports. |
dstStartPort | number | False | Specify a port or range of ports. Destination start port is required. |
dstEndPort | number | False | Specify a port or range of ports. |
dstSubnet | string | False | Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required. |
srcSubnet | string | False | Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required. |
host | string | False | This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?). |
log | string | False | Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur. |
paths | string | False | This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name. |
protocol | number | False | This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies. |
scheme | string | False | This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates. |
pathMatchCase | string | False | To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’ |
type | string | False | Specifies Static or Dynamic to create a static or dynamic access control list. |
name | string | False | The name of the object |
partition | string | False | The BIG-IP partition where the object should be placed |
subPath | string | False | The BIG-IP folder where the object should be placed |
id | string | False | An ID of an application |
lsoDeviceReference | reference | True | Reference to the device |
id | string | False | Id of the device. |
name | string | False | Device name. Typically it is device’s hostname. |
kind | string | False | Kind of the device. |
machineId | string | True | Machine ID of the device. |
link | string | False | URI link of the reference. |
isLsoShared | boolean | False | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | False | Reference to the device group. |
name | string | False | Name of the resource |
kind | string | False | The kind of the resource. |
link | string | False | URI link of the reference. |
description | string | False | The description of an Application. |
kind | string | False | The kind of an application. |
selfLink | string | False | The selfLink of an application. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Type | Description |
---|---|---|
aclOrder | number | Specify the order of this ACL relative to others. |
entries | array_of_objects | Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server. |
action | string | For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays. |
srcStartPort | number | Specify a port or range of ports. Source start port is required. |
srcEndPort | number | Specify a port or range of ports. |
dstStartPort | number | Specify a port or range of ports. Destination start port is required. |
dstEndPort | number | Specify a port or range of ports. |
dstSubnet | string | Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required. |
srcSubnet | string | Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required. |
host | string | This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?). |
log | string | Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur. |
paths | string | This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name. |
protocol | number | This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies. |
scheme | string | This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates. |
pathMatchCase | string | To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’ |
type | string | Specifies Static or Dynamic to create a static or dynamic access control list. |
name | string | The name of the object |
partition | string | The BIG-IP partition where the object should be placed |
subPath | string | The BIG-IP folder where the object should be placed |
id | string | An ID of an application |
lsoDeviceReference | reference | Reference to the device |
id | string | Id of the device. |
name | string | Device name. Typically it is device’s hostname. |
kind | string | Kind of the device. |
machineId | string | Machine ID of the device. |
link | string | URI link of the reference. |
isLsoShared | boolean | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | Reference to the device group. |
name | string | Name of the resource |
kind | string | The kind of the resource. |
link | string | URI link of the reference. |
description | string | The description of an Application. |
kind | string | The kind of an application. |
selfLink | string | The selfLink of an application. |
Error Response¶
HTTP/1.1 400 Bad Request
This response status is related to error conditions. A detailed error message displays in the response.
HTTP/1.1 401 Unauthorized
This response happens when access is denied due to invalid credentials(no Permission).
Permissions¶
Role | Allow |
---|---|
Application_Editor | No |
Service_Catalog_Viewer | No |
Service_Catalog_Editor | No |
Trust_Discovery_Import | No |
Access_View | No |
Access_Edit | Yes |
Access_Manager | Yes |
Application_Manager | No |
Application_Viewer | No |
Trust_Discovery_Import | No |
Access_Deploy | No |
Access_Policy_Editor | No |
PATCH /mgmt/cm/access/working-config/apm/acl/<id>¶
Request Parameters¶
Name | Type | Required | Description |
---|---|---|---|
aclOrder | number | False | Specify the order of this ACL relative to others. |
entries | array_of_objects | False | Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server. |
action | string | False | For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays. |
srcStartPort | number | False | Specify a port or range of ports. Source start port is required. |
srcEndPort | number | False | Specify a port or range of ports. |
dstStartPort | number | False | Specify a port or range of ports. Destination start port is required. |
dstEndPort | number | False | Specify a port or range of ports. |
dstSubnet | string | False | Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required. |
srcSubnet | string | False | Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required. |
host | string | False | This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?). |
log | string | False | Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur. |
paths | string | False | This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name. |
protocol | number | False | This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies. |
scheme | string | False | This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates. |
pathMatchCase | string | False | To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’ |
type | string | False | Specifies Static or Dynamic to create a static or dynamic access control list. |
isLsoShared | boolean | False | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
description | string | False | The description of an Application. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Type | Description |
---|---|---|
aclOrder | number | Specify the order of this ACL relative to others. |
entries | array_of_objects | Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server. |
action | string | For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays. |
srcStartPort | number | Specify a port or range of ports. Source start port is required. |
srcEndPort | number | Specify a port or range of ports. |
dstStartPort | number | Specify a port or range of ports. Destination start port is required. |
dstEndPort | number | Specify a port or range of ports. |
dstSubnet | string | Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required. |
srcSubnet | string | Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required. |
host | string | This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?). |
log | string | Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur. |
paths | string | This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name. |
protocol | number | This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies. |
scheme | string | This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates. |
pathMatchCase | string | To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’ |
type | string | Specifies Static or Dynamic to create a static or dynamic access control list. |
name | string | The name of the object |
partition | string | The BIG-IP partition where the object should be placed |
subPath | string | The BIG-IP folder where the object should be placed |
id | string | An ID of an application |
lsoDeviceReference | reference | Reference to the device |
id | string | Id of the device. |
name | string | Device name. Typically it is device’s hostname. |
kind | string | Kind of the device. |
machineId | string | Machine ID of the device. |
link | string | URI link of the reference. |
isLsoShared | boolean | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | Reference to the device group. |
name | string | Name of the resource |
kind | string | The kind of the resource. |
link | string | URI link of the reference. |
description | string | The description of an Application. |
kind | string | The kind of an application. |
selfLink | string | The selfLink of an application. |
Error Response¶
HTTP/1.1 400 Bad Request
This response status is related to error conditions. A detailed error message displays in the response.
HTTP/1.1 401 Unauthorized
This response happens when access is denied due to invalid credentials(no Permission).
Permissions¶
Role | Allow |
---|---|
Application_Editor | No |
Service_Catalog_Viewer | No |
Service_Catalog_Editor | No |
Trust_Discovery_Import | No |
Access_View | No |
Access_Edit | Yes |
Access_Manager | Yes |
Application_Manager | No |
Application_Viewer | No |
Trust_Discovery_Import | No |
Access_Deploy | No |
Access_Policy_Editor | No |
DELETE /mgmt/cm/access/working-config/apm/acl/<id>¶
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Type | Description |
---|---|---|
aclOrder | number | Specify the order of this ACL relative to others. |
entries | array_of_objects | Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server. |
action | string | For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays. |
srcStartPort | number | Specify a port or range of ports. Source start port is required. |
srcEndPort | number | Specify a port or range of ports. |
dstStartPort | number | Specify a port or range of ports. Destination start port is required. |
dstEndPort | number | Specify a port or range of ports. |
dstSubnet | string | Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required. |
srcSubnet | string | Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required. |
host | string | This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?). |
log | string | Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur. |
paths | string | This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name. |
protocol | number | This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies. |
scheme | string | This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates. |
pathMatchCase | string | To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’ |
type | string | Specifies Static or Dynamic to create a static or dynamic access control list. |
name | string | The name of the object |
partition | string | The BIG-IP partition where the object should be placed |
subPath | string | The BIG-IP folder where the object should be placed |
id | string | An ID of an application |
lsoDeviceReference | reference | Reference to the device |
id | string | Id of the device. |
name | string | Device name. Typically it is device’s hostname. |
kind | string | Kind of the device. |
machineId | string | Machine ID of the device. |
link | string | URI link of the reference. |
isLsoShared | boolean | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | Reference to the device group. |
name | string | Name of the resource |
kind | string | The kind of the resource. |
link | string | URI link of the reference. |
description | string | The description of an Application. |
kind | string | The kind of an application. |
selfLink | string | The selfLink of an application. |
Error Response¶
HTTP/1.1 400 Bad Request
This response status is related to error conditions. A detailed error message displays in the response.
HTTP/1.1 401 Unauthorized
This response happens when access is denied due to invalid credentials(no Permission).
Permissions¶
Role | Allow |
---|---|
Application_Editor | No |
Service_Catalog_Viewer | No |
Service_Catalog_Editor | No |
Trust_Discovery_Import | No |
Access_View | No |
Access_Edit | Yes |
Access_Manager | Yes |
Application_Manager | No |
Application_Viewer | No |
Trust_Discovery_Import | No |
Access_Deploy | No |
Access_Policy_Editor | No |
Examples¶
Get User Defined ACL¶
GET /mgmt/cm/access/working-config/apm/acl/<id>
Response¶
HTTP/1.1 200 OK
{
"aclOrder": 1,
"entries": [{
"action": "admin",
"srcStartPort": 0,
"srcEndPort": 0,
"dstStartPort": 0,
"dstEndPort": 0,
"dstSubnet": "0.0.0.0/0",
"srcSubnet": "0.0.0.0/0",
"host": "admin",
"log": "none",
"paths": "*",
"protocol": 0,
"scheme": "any"
}],
"pathMatchCase": "true",
"type": "static",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"description": "Application configuration details.",
"kind": "cm:access:working-config:apm:aaa:state",
"selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}
Create New User Defined ACL¶
POST /mgmt/cm/access/working-config/apm/acl
{
"aclOrder": 1,
"entries": [{
"action": "admin",
"srcStartPort": 0,
"srcEndPort": 0,
"dstStartPort": 0,
"dstEndPort": 0,
"dstSubnet": "0.0.0.0/0",
"srcSubnet": "0.0.0.0/0",
"host": "admin",
"log": "none",
"paths": "*",
"protocol": 0,
"scheme": "any"
}],
"pathMatchCase": "true",
"type": "static",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"description": "Application configuration details.",
}
Response¶
HTTP/1.1 200 OK
{
"aclOrder": 1,
"entries": [{
"action": "admin",
"srcStartPort": 0,
"srcEndPort": 0,
"dstStartPort": 0,
"dstEndPort": 0,
"dstSubnet": "0.0.0.0/0",
"srcSubnet": "0.0.0.0/0",
"host": "admin",
"log": "none",
"paths": "*",
"protocol": 0,
"scheme": "any"
}],
"pathMatchCase": "true",
"type": "static",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"description": "Application configuration details.",
"kind": "cm:access:working-config:apm:aaa:state",
"selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}
Edit User Defined ACL¶
PUT /mgmt/cm/access/working-config/apm/acl/<id>
{
"aclOrder": 1,
"entries": [{
"action": "admin",
"srcStartPort": 0,
"srcEndPort": 0,
"dstStartPort": 0,
"dstEndPort": 0,
"dstSubnet": "0.0.0.0/0",
"srcSubnet": "0.0.0.0/0",
"host": "admin",
"log": "none",
"paths": "*",
"protocol": 0,
"scheme": "any"
}],
"pathMatchCase": "true",
"type": "static",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"description": "Application configuration details.",
"kind": "cm:access:working-config:apm:aaa:state",
"selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}
Response¶
HTTP/1.1 200 OK
{
"aclOrder": 1,
"entries": [{
"action": "admin",
"srcStartPort": 0,
"srcEndPort": 0,
"dstStartPort": 0,
"dstEndPort": 0,
"dstSubnet": "0.0.0.0/0",
"srcSubnet": "0.0.0.0/0",
"host": "admin",
"log": "none",
"paths": "*",
"protocol": 0,
"scheme": "any"
}],
"pathMatchCase": "true",
"type": "static",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"description": "Application configuration details.",
"kind": "cm:access:working-config:apm:aaa:state",
"selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}
Edit User Defined ACL¶
PATCH /mgmt/cm/access/working-config/apm/acl/<id>
{
"aclOrder": 1,
"entries": [{
"action": "admin",
"srcStartPort": 0,
"srcEndPort": 0,
"dstStartPort": 0,
"dstEndPort": 0,
"dstSubnet": "0.0.0.0/0",
"srcSubnet": "0.0.0.0/0",
"host": "admin",
"log": "none",
"paths": "*",
"protocol": 0,
"scheme": "any"
}],
"pathMatchCase": "true",
"type": "static",
"isLsoShared": false,
"description": "Application configuration details.",
}
Response¶
HTTP/1.1 200 OK
{
"aclOrder": 1,
"entries": [{
"action": "admin",
"srcStartPort": 0,
"srcEndPort": 0,
"dstStartPort": 0,
"dstEndPort": 0,
"dstSubnet": "0.0.0.0/0",
"srcSubnet": "0.0.0.0/0",
"host": "admin",
"log": "none",
"paths": "*",
"protocol": 0,
"scheme": "any"
}],
"pathMatchCase": "true",
"type": "static",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"description": "Application configuration details.",
"kind": "cm:access:working-config:apm:aaa:state",
"selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}
Delete User Defined ACL¶
DELETE /mgmt/cm/access/working-config/apm/acl/<id>
Response¶
HTTP/1.1 200 OK
{
"aclOrder": 1,
"entries": [{
"action": "admin",
"srcStartPort": 0,
"srcEndPort": 0,
"dstStartPort": 0,
"dstEndPort": 0,
"dstSubnet": "0.0.0.0/0",
"srcSubnet": "0.0.0.0/0",
"host": "admin",
"log": "none",
"paths": "*",
"protocol": 0,
"scheme": "any"
}],
"pathMatchCase": "true",
"type": "static",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"description": "Application configuration details.",
"kind": "cm:access:working-config:apm:aaa:state",
"selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}