Updated on 2025-08-11 GMT+08:00

Querying a Protection Rule

Function

This API is used to query a protection rule.

Calling Method

For details, see Calling APIs.

URI

GET /v1/{project_id}/acl-rules

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Definition:

Project ID, which is used to specify the project that an asset belongs to. You can query the assets of a project by project ID. You can obtain the project ID from the API or console. For details, see Obtaining a Project ID.

Constraints:

N/A

Range:

32-bit UUID

Default Value:

N/A

Table 2 Query Parameters

Parameter

Mandatory

Type

Description

object_id

Yes

String

Definition:

Protected object ID, which is used to distinguish between Internet border protection and VPC border protection after a CFW is created. You can obtain the ID by calling the API for querying firewall instances. Find the value in data.records.protect_objects.object_id (The period [.] is used to separate different levels of objects).

Constraints:

If type is set to 0, object_id indicates the protected object ID of the Internet border. If type is set to 1, object_id indicates the protected object ID of the VPC border. The value of type can be obtained from data.records.protect_objects.type (The period [.] is used to separate different levels of objects).

Range:

32-bit UUID

Default Value:

N/A

type

No

Integer

Definition:

Rule type, which is used to distinguish different protected objects.

Constraints:

N/A

Range:

0: Internet border rule. The source and destination addresses must be EIPs or domain names.

1: Inter-VPC rule. The source and destination addresses must be private IP addresses.

2: NAT rule. The source address must be a private IP address, and the destination address must be an EIP or a domain name.

Default Value:

N/A

ip

No

String

Definition:

IP address information.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

name

No

String

Definition:

Rule name, which is defined by a user and is used to identify a rule.

Constraints:

The string length can be 0 to 255 characters.

Range:

N/A

Default Value:

N/A

direction

No

Integer

Definition:

Rule direction. It can be from the cloud to on-premises, or from on-premises to the cloud.

Constraints:

If type is set to 0 (Internet rule) or 2 (NAT rule), the direction is mandatory.

Range:

0: inbound (on-premises to cloud); 1: outbound (cloud to on-premises).

Default Value:

N/A

status

No

Integer

Definition:

Rule status, which is used to determine whether a rule is enabled.

Constraints:

Only 0 and 1 are allowed.

Range:

0: disable; 1: enable

Default Value:

N/A

action_type

No

Integer

Definition:

Rule action type, which is used to distinguish the action of a rule on traffic.

Constraints:

Only 0 and 1 are allowed.

Range:

0: permit; 1: deny

Default Value:

N/A

address_type

No

Integer

Definition:

Internet protocol type of an IP address, which is specified by the customer.

Constraints:

N/A

Range:

0: IPv4; 1: IPv6

Default Value:

N/A

limit

Yes

Integer

Definition:

Number of records displayed on each page.

Constraints:

Must be digits

Range:

1-1024

Default Value:

N/A

offset

Yes

Integer

Definition:

Offset, which specifies the start position of the record to be returned.

Constraints:

Must be digits

Range:

Greater than or equal to 0

Default Value:

N/A

enterprise_project_id

No

String

Definition:

Enterprise project ID. If you plan enterprise projects based on your organization's plan, each enterprise project will have such an ID. After this parameter is configured, you can filter assets by enterprise project. You can obtain the enterprise project ID by referring to Obtaining an Enterprise Project ID.

Constraints:

N/A

Range:

N/A

Default Value:

0

fw_instance_id

No

String

Definition:

Firewall ID. It is a unique ID generated after a firewall instance is created. You can obtain the firewall ID by referring to Obtaining a Firewall ID.

Constraints:

N/A

Range:

32-bit UUID

Default Value:

N/A

tags_id

No

String

Definition:

Rule tag ID, which is generated when a rule is created.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

source

No

String

Definition:

Source address.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

destination

No

String

Definition:

Destination address.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

service

No

String

Definition:

Service Port

Constraints:

N/A

Range:

N/A

Default Value:

N/A

application

No

String

Definition:

List of protocols that a rule applies to.

Constraints:

N/A

Range:

Rule application type. Its value can be HTTP, HTTPS, TLS1, DNS, SSH, MYSQL, SMTP, RDP, RDPS, VNC, POP3, IMAP4, SMTPS, POP3S, FTPS, ANY, or BGP.

Default Value:

N/A

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

Definition:

User token, which carries user identity information. After the token is configured, you can use it for API authentication. You can obtain the token by referring to Obtaining a User Token.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

data

data object

Definition:

Return value for querying the rule list.

Table 5 data

Parameter

Type

Description

offset

Integer

Definition:

Offset, which specifies the start position of the record to be returned.

Range:

Greater than or equal to 0

limit

Integer

Definition:

Number of records displayed on each page.

Range:

1-1024

total

Integer

Definition:

Query the total number of rules in the rule list.

Range:

Greater than 0

object_id

String

Definition:

Protected object ID, which is used to distinguish between Internet border protection and VPC border protection after a cloud firewall is created. You can obtain the ID by calling the API for querying firewall instances. In the return value, find the ID in data.records.protect_objects.object_id (The period [.] is used to separate different levels of objects). If the value of type is 0, object_id is the protected object ID on the Internet border. If the value of type is 1, object_id is the protected object ID on the VPC border. You can obtain the value of type from data.records.protect_objects.type (The period [.] is used to separate different levels of objects).

Range:

32-bit UUID

up_rules_count

Integer

Definition:

Number of rules on top.

Range:

N/A

records

Array of records objects

Definition:

Query the rule list.

Table 6 records

Parameter

Type

Description

rule_id

String

Definition:

Rule ID

Range:

N/A

order_id

Integer

Definition:

Sorting ID.

Range:

N/A

applications

Array of strings

Definition:

Application list.

Range:

N/A

address_type

Integer

Definition:

Address type: 0 (IPv4); 1: (IPv6)

Range:

N/A

name

String

Definition:

Rule

Range:

N/A

direction

Integer

Definition:

Rule direction.

Range:

0 (inbound), 1 (outbound)

action_type

Integer

Definition:

Rule action type, which is used to distinguish the action of a rule on traffic.

Range:

0: permit; 1: deny

status

Integer

Definition:

Rule status, which is used to determine whether a rule is enabled.

Range:

0: disable; 1: enable

description

String

Definition:

Rule description, which is used to describe the usage of a rule.

Range:

N/A

long_connect_time

Long

Definition:

Persistent connection duration (in seconds).

Range:

1-86,400,000.

long_connect_enable

Integer

Definition:

Specifies whether persistent connections are supported.

Range:

The value 0 indicates that a feature is not supported, and the value 1 indicates that a feature is supported.

long_connect_time_hour

Long

Definition:

Persistent connection duration (in hours).

Range:

0-24,000.

long_connect_time_minute

Long

Definition:

Persistent connection duration (in minutes).

Range:

0–60

long_connect_time_second

Long

Definition:

Persistent connection duration (in seconds).

Range:

0–60

source

RuleAddressDtoForResponse object

Definition:

Source address object.

destination

RuleAddressDtoForResponse object

Definition:

Destination address object.

service

RuleServiceDtoForResponse object

Definition:

Destination address object.

type

Integer

Definition:

Rule type, which is used to distinguish different protected objects.

Range:

0: Internet border rule. The source and destination addresses must be EIPs or domain names.

1: Inter-VPC rule. The source and destination addresses must be private IP addresses.

2: NAT rule. The source address must be a private IP address, and the destination address must be an EIP or a domain name.

created_date

String

Definition:

Specifies the time when the assignment was added.

Range:

N/A

modified_date

String

Definition:

Time when the rule was modified.

Range:

N/A

last_open_time

String

Definition:

Last time when the rule was enabled.

Range:

N/A

tag

TagsVO object

Definition:

Tag object attached to a rule.

Table 7 RuleAddressDtoForResponse

Parameter

Type

Description

type

Integer

Definition:

Address input type, which is used to distinguish different input types.

Constraints:

N/A

Range:

0 (manual input), 1 (associated IP address group), 2 (domain name), 3 (geographical location), 4 (domain name group) 5 (multiple objects), 6 (domain name group - network), 7 (domain name group - application).

Default Value:

N/A

address_type

Integer

Definition:

IP address protocol type, which is used to distinguish different Internet protocols.

Constraints:

N/A

Range:

Address type: 0 (IPv4); 1: (IPv6)

Default Value:

N/A

address

String

Definition:

IP address information, which is used to specify the IP address of the rule.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

address_set_id

String

Definition:

ID of the associated IP address group. You can query the IP address group ID by calling the API for querying address groups. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects).

Constraints:

N/A

Range:

N/A

Default Value:

N/A

address_set_name

String

Definition:

Name of the associated IP address group. You can query the IP address group name by calling the API for querying address groups. Find the value in data.records.name (The period [.] is used to separate different levels of objects).

Constraints:

N/A

Range:

N/A

Default Value:

N/A

domain_address_name

String

Definition:

Domain name or domain name group name, which is used to specify the domain name or domain name group name referenced by the rule.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

region_list_json

String

Definition:

JSON value of the rule region list, which is used to specify the region name list referenced by the rule.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

region_list

Array of IpRegionDto objects

Definition:

Rule region list.

Constraints:

N/A

domain_set_id

String

Definition:

Domain group ID, which is used to specify the domain name group referenced by a rule. Its value can be obtained by calling the API for querying the domain name group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects).

Constraints:

N/A

Range:

N/A

Default Value:

N/A

domain_set_name

String

Definition:

Domain group name, which is used to specify the domain name group referenced by a rule. Its value can be obtained by calling the API for querying the domain name group list. Find the value in data.records.name (The period [.] is used to separate different levels of objects).

Constraints:

N/A

Range:

N/A

Default Value:

N/A

ip_address

Array of strings

Definition:

IP address list, which is used to specify the IP address list referenced by a rule.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

address_group

Array of strings

Definition:

Address group ID list, which is used to specify the list of address group IDs referenced by a rule. Its value can be obtained by calling the API for querying the address group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects). In the search criteria, query_address_set_type must be set to 0 (user-defined address group).

Constraints:

N/A

Range:

N/A

Default Value:

N/A

address_group_names

Array of AddressGroupVO objects

Definition:

Address group name list.

Constraints:

N/A

address_set_type

Integer

Definition:

Address group type, which is used to specify the address group type referenced by a rule.

Constraints:

N/A

Range:

0 (user-defined address group), 1 (WAF proxy IP address group), or 3 (NAT64 address group)

Default Value:

N/A

Table 8 IpRegionDto

Parameter

Type

Description

region_id

String

Definition:

Region ID, which is used to specify the region where a rule is used. You can obtain the region ID by referring to Obtaining the Names and IDs of an Account, IAM User, Project, User Group, Region, and Agency.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

description_cn

String

Definition:

Region description in Chinese, which is used only for China regions and can be obtained from the region information table.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

description_en

String

Definition:

Region description in English, which is used only for non-China regions and can be obtained from the region information table.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

region_type

Integer

Definition:

Area type

Constraints:

N/A

Range:

0: country; 1: province; 2: continent

Default Value:

N/A

Table 9 AddressGroupVO

Parameter

Type

Description

address_set_type

Integer

Address group type: 0 (user-defined address group), 1 (WAF proxy IP address group), 2 (DDoS back-to-source IP address group), or 3 (NAT64 address group).

name

String

Name of an associated IP address group, which can be obtained by calling the API for querying the address group list. Find the value in data.records.name (The period [.] is used to separate different levels of objects).

set_id

String

ID of an associated IP address group, which can be obtained by calling the API for querying the address group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects).

Table 10 RuleServiceDtoForResponse

Parameter

Type

Description

type

Integer

Service input type: 0 (manual), 1 (automatic).

protocol

Integer

Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any). It cannot be left blank when type is set to 0 (manual), and can be left blank when type is set to 1 (automatic).

protocols

Array of integers

Protocol list. Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any). It cannot be left blank when type is set to 0 (manual), and can be left blank when type is set to 1 (automatic).

source_port

String

Source port.

dest_port

String

Destination port.

service_set_id

String

Service group ID.

service_set_name

String

Service group name.

custom_service

Array of ServiceItem objects

Custom service.

service_group

Array of strings

Service group ID list.

service_group_names

Array of ServiceGroupVO objects

Service group name list.

service_set_type

Integer

Service group type: 0 (user-defined service group), 1 (common web service), 2 (common remote login and ping), or 3 (common database).

Table 11 ServiceItem

Parameter

Type

Description

protocol

Integer

Definition:

Protocol type, which is used to specify the network protocol of a rule.

Constraints:

If RuleServiceDto.type is set to 0, this parameter cannot be left blank.

Range:

6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (Any).

Default Value:

N/A

source_port

String

Definition:

Source port, that is, the port of the session initiator.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

dest_port

String

Definition:

Destination port, that is, the port of the session receiver.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

description

String

Definition:

Service (protocol, source port, or destination port) member.

Constraints:

The value must be a string consisting of 0 to 255 characters.

Range:

N/A

Default Value:

N/A

name

String

Definition:

Service (protocol, source port, or destination port) member.

Constraints:

The value must be a string consisting of 0 to 255 characters.

Range:

N/A

Default Value:

N/A

Table 12 ServiceGroupVO

Parameter

Type

Description

name

String

Definition:

Name of a service (protocol, source port, or destination port) group.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

protocols

Array of integers

Definition:

Protocol List

Constraints:

N/A

Range:

Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (Any).

Default Value:

N/A

service_set_type

Integer

Definition:

Type of a service (protocol, source port, or destination port) group.

Constraints:

N/A

Range:

0: custom service group; 1: predefined service group

Default Value:

N/A

set_id

String

Definition:

Service group ID, which can be obtained by calling the API for querying the service group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects).

Constraints:

N/A

Range:

N/A

Default Value:

N/A

Table 13 TagsVO

Parameter

Type

Description

tag_id

String

Definition:

Rule ID

Constraints:

N/A

Range:

N/A

Default Value:

N/A

tag_key

String

Definition:

Rule tag key.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

tag_value

String

Definition:

Rule tag value.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

Status code: 400

Table 14 Response body parameters

Parameter

Type

Description

error_code

String

Error code.

error_msg

String

Error description.

Example Requests

Query data on the first page of the protected object e12bd2cd-ebfc-4af7-ad6f-ebe6da398029 whose project ID is 9d80d070b6d44942af73c9c3d38e0429, with limit set to 10.

Example URL: https://{Endpoint}/v1/9d80d070b6d44942af73c9c3d38e0429/acl-rules?object_id=e12bd2cd-ebfc-4af7-ad6f-ebe6da398029&limit=10&offset=0

Example Responses

Status code: 200

Return value for querying the rule list.

{
  "data" : {
    "limit" : 10,
    "object_id" : "cfebd347-b655-4b84-b938-3c54317599b2",
    "offset" : 0,
    "records" : [ {
      "action_type" : 0,
      "address_type" : 0,
      "destination" : {
        "address" : "0.0.0.0/0",
        "address_type" : 0,
        "type" : 0
      },
      "direction" : 1,
      "long_connect_enable" : 0,
      "created_date" : "2024-02-27 04:01:17",
      "modified_date" : "2024-02-27 04:01:17",
      "last_open_time" : "2024-02-27 04:01:17",
      "description" : "description",
      "name" : "eip_ipv4_n_w_allow",
      "rule_id" : "ffe9af47-d893-483b-86e3-ee5242e8cb15",
      "order_id" : 1000000,
      "service" : {
        "dest_port" : "0",
        "protocol" : -1,
        "source_port" : "0",
        "type" : 0
      },
      "source" : {
        "address_set_id" : "48bfb09b-6f3a-4371-8ddb-05d5d7148bcc",
        "address_set_name" : "ip_group",
        "address_type" : 0,
        "type" : 1
      },
      "status" : 1,
      "type" : "0"
    } ],
    "total" : 1,
    "up_rules_count" : 0
  }
}

Status code: 400

Bad Request

{
  "error_code" : "CFW.0020016",
  "error_msg" : "Incorrect instance status."
}

SDK Sample Code

The SDK sample code is as follows.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.cfw.v1.region.CfwRegion;
import com.huaweicloud.sdk.cfw.v1.*;
import com.huaweicloud.sdk.cfw.v1.model.*;


public class ListAclRulesSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        CfwClient client = CfwClient.newBuilder()
                .withCredential(auth)
                .withRegion(CfwRegion.valueOf("<YOUR REGION>"))
                .build();
        ListAclRulesRequest request = new ListAclRulesRequest();
        try {
            ListAclRulesResponse response = client.listAclRules(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkcfw.v1.region.cfw_region import CfwRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkcfw.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = CfwClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(CfwRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ListAclRulesRequest()
        response = client.list_acl_rules(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    cfw "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := cfw.NewCfwClient(
        cfw.CfwClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ListAclRulesRequest{}
	response, err := client.ListAclRules(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

Return value for querying the rule list.

400

Bad Request

401

Unauthorized: Request error.

403

Forbidden: Access forbidden.

404

Not Found: Web page not found.

500

Internal Server Error

Error Codes

See Error Codes.