Help Center/ Cloud Firewall/ API Reference/ API/ ACL Rule Management/ Querying a Protection Rule
Updated on 2024-10-30 GMT+08:00
Online Debugging
CLI Examples
View PDF
Share

Querying a Protection Rule

Function

This API is used to query a protection rule.

Calling Method

For details, see Calling APIs.

URI

GET /v1/{project_id}/acl-rules

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID.
Table 2 Query Parameters

Parameter

Mandatory

Type

Description

object_id

Yes

String

Protected object ID, which is used to distinguish between Internet border protection and VPC border protection after a cloud firewall is created. You can obtain the ID by calling the API for querying firewall instances. In the return value, find the ID in data.records.protect_objects.object_id (The period [.] is used to separate different levels of objects). If the value of type is 0, the protected object ID belongs to the Internet border. If the value of type is 1, the protected object ID belongs to the VPC border. You can obtain the value of type from data.records.protect_objects.type (The period [.] is used to separate different levels of objects).

type

No

Integer

Rule type: 0 (Internet rule), 1 (VPC rule), or 2 (NAT rule).

ip

No

String

IP address

name

No

String

Rule name.

direction

No

Integer

Direction: 0 (inbound), 1 (outbound).

status

No

Integer

Rule delivery status: 0 (disabled), 1 (enabled).

action_type

No

Integer

Action: 0 (allow), 1 (deny).

address_type

No

Integer

Address type: 0 (IPv4), 1 (IPv6).

limit

Yes

Integer

Number of records displayed on each page. The value ranges from 1 to 1024.

offset

Yes

Integer

Offset, which specifies the start position of the record to be returned. The value must be a number no less than 0. The default value is 0.

enterprise_project_id

No

String

Enterprise project ID, which is the ID of a project planned based on organizations. You can obtain the enterprise project ID by referring to Obtaining an Enterprise Project ID. If the enterprise project function is not enabled, the value is 0.

fw_instance_id

No

String

Firewall ID, which can be obtained by referring to Obtaining a Firewall ID.

tags_id

No

String

Rule tag ID, which is generated when a rule is created.

source

No

String

Source IP address.

destination

No

String

Destination IP address.

service

No

String

Service port.

application

No

String

Rule application type. Its value can be HTTP, HTTPS, TLS1, DNS, SSH, MYSQL, SMTP, RDP, RDPS, VNC, POP3, IMAP4, SMTPS, POP3S, FTPS, ANY, or BGP.

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

data

data object

Return value for querying the rule list.
Table 5 data

Parameter

Type

Description

offset

Integer

Offset, which specifies the start position of the record to be returned. The value must be a number no less than 0. The default value is 0.

limit

Integer

Number of records displayed on each page. The value ranges from 1 to 1024.

total

Integer

Query the total number of rules in the rule list.

object_id

String

Protected object ID, which is used to distinguish Internet border protection from VPC border protection after a CFW instance is created. You can obtain the ID by calling the API for querying a firewall instance. Note that the value 0 indicates the ID of a protected object on the Internet border, and the value 1 indicates the ID of a protected object on the VPC border.

records

Array of records objects

Query the rule list.
Table 6 records

Parameter

Type

Description

rule_id

String

Rule ID.

address_type

Integer

Address type: 0 (IPv4), 1 (IPv6).

name

String

Rule name.

direction

Integer

Rule direction: 0 (inbound), 1 (outbound).

action_type

Integer

Action: 0 (allow), 1 (deny).

status

Integer

Rule delivery status: 0 (disabled), 1 (enabled).

description

String

Description.

long_connect_time

Long

Persistent connection duration.

long_connect_enable

Integer

Persistent connection support.

long_connect_time_hour

Long

Persistent connection duration (hour).

long_connect_time_minute

Long

Persistent connection duration (minute).

long_connect_time_second

Long

Persistent connection duration (second).

source

RuleAddressDtoForResponse object

Source address object.

destination

RuleAddressDtoForResponse object

Destination address object.

service

RuleServiceDtoForResponse object

Service object.

type

Integer

Rule type: 0 (Internet rule), 1 (VPC rule), or 2 (NAT rule).

created_date

String

Rule creation time, for example, 2024-08-12 08:40:00.

last_open_time

String

Last time when the rule was enabled, for example, 2024-08-12 08:40:00.

tag

TagsVO object

Tag object attached to a rule.
Table 7 RuleAddressDtoForResponse

Parameter

Type

Description

type

Integer

Address type: 0 (manual input), 1 (associated IP address group), 2 (domain name), 3 (geographical location), 4 (domain name group) 5 (multiple objects), 6 (domain name group - DNS resolution), 7 (domain name group - website filtering).

address_type

Integer

Address type: 0 (IPv4), 1 (IPv6). If its value is 0, the input cannot be left blank.

address

String

IP address information.

address_set_id

String

ID of an associated IP address group.

address_set_name

String

IP address group name.

domain_address_name

String

Name of a domain name address.

region_list_json

String

JSON value of the rule region list.

region_list

Array of IpRegionDto objects

Rule region list.

domain_set_id

String

Domain name group ID

domain_set_name

String

Domain name group name.

ip_address

Array of strings

IP address list.

address_group

Array of strings

Address group ID list.

address_group_names

Array of AddressGroupVO objects

Address group name list.

address_set_type

Integer

Address group type: 0 (user-defined address group), 1 (WAF back-to-source IP address group), 2 (DDoS back-to-source IP address group), or 3 (NAT64 address group).
Table 8 IpRegionDto

Parameter

Type

Description

region_id

String

Region ID.

description_cn

String

Region description in Chinese, which is used only for China regions.

description_en

String

Region description in English, which is used only for non-China regions.

region_type

Integer

Region type: 0 (country), 1 (province), or 2 (continent).
Table 9 AddressGroupVO

Parameter

Type

Description

address_set_type

Integer

Address group type: 0 (user-defined address group), 1 (WAF back-to-source IP address group), 2 (DDoS back-to-source IP address group), or 3 (NAT64 address group).

name

String

Name of an associated IP address group, which can be obtained by calling the API for querying the address group list. Find the value in data.records.name (The period [.] is used to separate different levels of objects).

set_id

String

ID of an associated IP address group, which can be obtained by calling the API for querying the address group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects).
Table 10 RuleServiceDtoForResponse

Parameter

Type

Description

type

Integer

Service input type: 0 (manual), 1 (automatic).

protocol

Integer

Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any). It cannot be left blank when type is set to 0 (manual), and can be left blank when type is set to 1 (automatic).

protocols

Array of integers

Protocol list. Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any). It cannot be left blank when type is set to 0 (manual), and can be left blank when type is set to 1 (automatic).

source_port

String

Source port.

dest_port

String

Destination port.

service_set_id

String

Service group ID.

service_set_name

String

Service group name.

custom_service

Array of ServiceItem objects

Custom service.

service_group

Array of strings

Service group ID list.

service_group_names

Array of ServiceGroupVO objects

Service group name list.

service_set_type

Integer

Service group type: 0 (user-defined service group), 1 (common web service), 2 (common remote login and ping), or 3 (common database).
Table 11 ServiceItem

Parameter

Type

Description

protocol

Integer

Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any). It cannot be left blank when RuleServiceDto.type is set to 0 (manual).

source_port

String

Source port.

dest_port

String

Destination port.

description

String

Service member description.

name

String

Service member name.
Table 12 ServiceGroupVO

Parameter

Type

Description

name

String

Service group name.

protocols

Array of integers

Protocol list. Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any).

service_set_type

Integer

Service group type: 0 (user-defined service group), 1 (predefined service group).

set_id

String

Service group ID, which can be obtained by calling the API for querying the service group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects).
Table 13 TagsVO

Parameter

Type

Description

tag_id

String

Rule ID

tag_key

String

Rule tag key.

tag_value

String

Rule tag value.

Status code: 400

Table 14 Response body parameters

Parameter

Type

Description

error_code

String

Error code.

error_msg

String

Error description.

Example Requests

Query data on the first page of the protected object e12bd2cd-ebfc-4af7-ad6f-ebe6da398029 whose project ID is 9d80d070b6d44942af73c9c3d38e0429, with limit set to 10.

Example URL: https://{Endpoint}/v1/9d80d070b6d44942af73c9c3d38e0429/acl-rules?object_id=e12bd2cd-ebfc-4af7-ad6f-ebe6da398029&limit=10&offset=0

Example Responses

Status code: 200

Return value for querying the rule list.

{
  "data" : {
    "limit" : 10,
    "object_id" : "cfebd347-b655-4b84-b938-3c54317599b2",
    "offset" : 0,
    "records" : [ {
      "action_type" : 0,
      "address_type" : 0,
      "destination" : {
        "address" : "0.0.0.0/0",
        "address_type" : 0,
        "type" : 0
      },
      "direction" : 1,
      "long_connect_enable" : 0,
      "created_date" : "2024-02-27 04:01:17",
      "last_open_time" : "2024-02-27 04:01:17",
      "description" : "description",
      "name" : "eip_ipv4_n_w_allow",
      "rule_id" : "ffe9af47-d893-483b-86e3-ee5242e8cb15",
      "service" : {
        "dest_port" : "0",
        "protocol" : -1,
        "source_port" : "0",
        "type" : 0
      },
      "source" : {
        "address_set_id" : "48bfb09b-6f3a-4371-8ddb-05d5d7148bcc",
        "address_set_name" : "ip_group",
        "address_type" : 0,
        "type" : 1
      },
      "status" : 1,
      "type" : "0"
    } ],
    "total" : 1
  }
}

Status code: 400

Bad Request

{
  "error_code" : "CFW.0020016",
  "error_msg" : "Incorrect instance status."
}

SDK Sample Code

The SDK sample code is as follows.

Java

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.cfw.v1.region.CfwRegion;
import com.huaweicloud.sdk.cfw.v1.*;
import com.huaweicloud.sdk.cfw.v1.model.*;


public class ListAclRulesSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        CfwClient client = CfwClient.newBuilder()
                .withCredential(auth)
                .withRegion(CfwRegion.valueOf("<YOUR REGION>"))
                .build();
        ListAclRulesRequest request = new ListAclRulesRequest();
        try {
            ListAclRulesResponse response = client.listAclRules(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Python

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkcfw.v1.region.cfw_region import CfwRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkcfw.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = CfwClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(CfwRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ListAclRulesRequest()
        response = client.list_acl_rules(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Go

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    cfw "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := cfw.NewCfwClient(
        cfw.CfwClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ListAclRulesRequest{}
	response, err := client.ListAclRules(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

More

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

Return value for querying the rule list.

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

500

Internal Server Error

Error Codes

See Error Codes.

Parent topic: ACL Rule Management