Querying a Protection Rule
Function
This API is used to query a protection rule.
Calling Method
For details, see Calling APIs.
URI
GET /v1/{project_id}/acl-rules
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
project_id |
Yes |
String |
Definition: Project ID, which is used to specify the project that an asset belongs to. You can query the assets of a project by project ID. You can obtain the project ID from the API or console. For details, see Obtaining a Project ID. Constraints: N/A Range: 32-bit UUID Default Value: N/A |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
object_id |
Yes |
String |
Definition: Protected object ID, which is used to distinguish between Internet border protection and VPC border protection after a CFW is created. You can obtain the ID by calling the API for querying firewall instances. Find the value in data.records.protect_objects.object_id (The period [.] is used to separate different levels of objects). Constraints: If type is set to 0, object_id indicates the protected object ID of the Internet border. If type is set to 1, object_id indicates the protected object ID of the VPC border. The value of type can be obtained from data.records.protect_objects.type (The period [.] is used to separate different levels of objects). Range: 32-bit UUID Default Value: N/A |
type |
No |
Integer |
Definition: Rule type, which is used to distinguish different protected objects. Constraints: N/A Range: 0: Internet border rule. The source and destination addresses must be EIPs or domain names. 1: Inter-VPC rule. The source and destination addresses must be private IP addresses. 2: NAT rule. The source address must be a private IP address, and the destination address must be an EIP or a domain name. Default Value: N/A |
ip |
No |
String |
Definition: IP address information. Constraints: N/A Range: N/A Default Value: N/A |
name |
No |
String |
Definition: Rule name, which is defined by a user and is used to identify a rule. Constraints: The string length can be 0 to 255 characters. Range: N/A Default Value: N/A |
direction |
No |
Integer |
Definition: Rule direction. It can be from the cloud to on-premises, or from on-premises to the cloud. Constraints: If type is set to 0 (Internet rule) or 2 (NAT rule), the direction is mandatory. Range: 0: inbound (on-premises to cloud); 1: outbound (cloud to on-premises). Default Value: N/A |
status |
No |
Integer |
Definition: Rule status, which is used to determine whether a rule is enabled. Constraints: Only 0 and 1 are allowed. Range: 0: disable; 1: enable Default Value: N/A |
action_type |
No |
Integer |
Definition: Rule action type, which is used to distinguish the action of a rule on traffic. Constraints: Only 0 and 1 are allowed. Range: 0: permit; 1: deny Default Value: N/A |
address_type |
No |
Integer |
Definition: Internet protocol type of an IP address, which is specified by the customer. Constraints: N/A Range: 0: IPv4; 1: IPv6 Default Value: N/A |
limit |
Yes |
Integer |
Definition: Number of records displayed on each page. Constraints: Must be digits Range: 1-1024 Default Value: N/A |
offset |
Yes |
Integer |
Definition: Offset, which specifies the start position of the record to be returned. Constraints: Must be digits Range: Greater than or equal to 0 Default Value: N/A |
enterprise_project_id |
No |
String |
Definition: Enterprise project ID. If you plan enterprise projects based on your organization's plan, each enterprise project will have such an ID. After this parameter is configured, you can filter assets by enterprise project. You can obtain the enterprise project ID by referring to Obtaining an Enterprise Project ID. Constraints: N/A Range: N/A Default Value: 0 |
fw_instance_id |
No |
String |
Definition: Firewall ID. It is a unique ID generated after a firewall instance is created. You can obtain the firewall ID by referring to Obtaining a Firewall ID. Constraints: N/A Range: 32-bit UUID Default Value: N/A |
tags_id |
No |
String |
Definition: Rule tag ID, which is generated when a rule is created. Constraints: N/A Range: N/A Default Value: N/A |
source |
No |
String |
Definition: Source address. Constraints: N/A Range: N/A Default Value: N/A |
destination |
No |
String |
Definition: Destination address. Constraints: N/A Range: N/A Default Value: N/A |
service |
No |
String |
Definition: Service Port Constraints: N/A Range: N/A Default Value: N/A |
application |
No |
String |
Definition: List of protocols that a rule applies to. Constraints: N/A Range: Rule application type. Its value can be HTTP, HTTPS, TLS1, DNS, SSH, MYSQL, SMTP, RDP, RDPS, VNC, POP3, IMAP4, SMTPS, POP3S, FTPS, ANY, or BGP. Default Value: N/A |
Request Parameters
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
X-Auth-Token |
Yes |
String |
Definition: User token, which carries user identity information. After the token is configured, you can use it for API authentication. You can obtain the token by referring to Obtaining a User Token. Constraints: N/A Range: N/A Default Value: N/A |
Response Parameters
Status code: 200
Parameter |
Type |
Description |
---|---|---|
data |
data object |
Definition: Return value for querying the rule list. |
Parameter |
Type |
Description |
---|---|---|
offset |
Integer |
Definition: Offset, which specifies the start position of the record to be returned. Range: Greater than or equal to 0 |
limit |
Integer |
Definition: Number of records displayed on each page. Range: 1-1024 |
total |
Integer |
Definition: Query the total number of rules in the rule list. Range: Greater than 0 |
object_id |
String |
Definition: Protected object ID, which is used to distinguish between Internet border protection and VPC border protection after a cloud firewall is created. You can obtain the ID by calling the API for querying firewall instances. In the return value, find the ID in data.records.protect_objects.object_id (The period [.] is used to separate different levels of objects). If the value of type is 0, object_id is the protected object ID on the Internet border. If the value of type is 1, object_id is the protected object ID on the VPC border. You can obtain the value of type from data.records.protect_objects.type (The period [.] is used to separate different levels of objects). Range: 32-bit UUID |
up_rules_count |
Integer |
Definition: Number of rules on top. Range: N/A |
records |
Array of records objects |
Definition: Query the rule list. |
Parameter |
Type |
Description |
---|---|---|
rule_id |
String |
Definition: Rule ID Range: N/A |
order_id |
Integer |
Definition: Sorting ID. Range: N/A |
applications |
Array of strings |
Definition: Application list. Range: N/A |
address_type |
Integer |
Definition: Address type: 0 (IPv4); 1: (IPv6) Range: N/A |
name |
String |
Definition: Rule Range: N/A |
direction |
Integer |
Definition: Rule direction. Range: 0 (inbound), 1 (outbound) |
action_type |
Integer |
Definition: Rule action type, which is used to distinguish the action of a rule on traffic. Range: 0: permit; 1: deny |
status |
Integer |
Definition: Rule status, which is used to determine whether a rule is enabled. Range: 0: disable; 1: enable |
description |
String |
Definition: Rule description, which is used to describe the usage of a rule. Range: N/A |
long_connect_time |
Long |
Definition: Persistent connection duration (in seconds). Range: 1-86,400,000. |
long_connect_enable |
Integer |
Definition: Specifies whether persistent connections are supported. Range: The value 0 indicates that a feature is not supported, and the value 1 indicates that a feature is supported. |
long_connect_time_hour |
Long |
Definition: Persistent connection duration (in hours). Range: 0-24,000. |
long_connect_time_minute |
Long |
Definition: Persistent connection duration (in minutes). Range: 0–60 |
long_connect_time_second |
Long |
Definition: Persistent connection duration (in seconds). Range: 0–60 |
source |
RuleAddressDtoForResponse object |
Definition: Source address object. |
destination |
RuleAddressDtoForResponse object |
Definition: Destination address object. |
service |
RuleServiceDtoForResponse object |
Definition: Destination address object. |
type |
Integer |
Definition: Rule type, which is used to distinguish different protected objects. Range: 0: Internet border rule. The source and destination addresses must be EIPs or domain names. 1: Inter-VPC rule. The source and destination addresses must be private IP addresses. 2: NAT rule. The source address must be a private IP address, and the destination address must be an EIP or a domain name. |
created_date |
String |
Definition: Specifies the time when the assignment was added. Range: N/A |
modified_date |
String |
Definition: Time when the rule was modified. Range: N/A |
last_open_time |
String |
Definition: Last time when the rule was enabled. Range: N/A |
tag |
TagsVO object |
Definition: Tag object attached to a rule. |
Parameter |
Type |
Description |
---|---|---|
type |
Integer |
Definition: Address input type, which is used to distinguish different input types. Constraints: N/A Range: 0 (manual input), 1 (associated IP address group), 2 (domain name), 3 (geographical location), 4 (domain name group) 5 (multiple objects), 6 (domain name group - network), 7 (domain name group - application). Default Value: N/A |
address_type |
Integer |
Definition: IP address protocol type, which is used to distinguish different Internet protocols. Constraints: N/A Range: Address type: 0 (IPv4); 1: (IPv6) Default Value: N/A |
address |
String |
Definition: IP address information, which is used to specify the IP address of the rule. Constraints: N/A Range: N/A Default Value: N/A |
address_set_id |
String |
Definition: ID of the associated IP address group. You can query the IP address group ID by calling the API for querying address groups. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects). Constraints: N/A Range: N/A Default Value: N/A |
address_set_name |
String |
Definition: Name of the associated IP address group. You can query the IP address group name by calling the API for querying address groups. Find the value in data.records.name (The period [.] is used to separate different levels of objects). Constraints: N/A Range: N/A Default Value: N/A |
domain_address_name |
String |
Definition: Domain name or domain name group name, which is used to specify the domain name or domain name group name referenced by the rule. Constraints: N/A Range: N/A Default Value: N/A |
region_list_json |
String |
Definition: JSON value of the rule region list, which is used to specify the region name list referenced by the rule. Constraints: N/A Range: N/A Default Value: N/A |
region_list |
Array of IpRegionDto objects |
Definition: Rule region list. Constraints: N/A |
domain_set_id |
String |
Definition: Domain group ID, which is used to specify the domain name group referenced by a rule. Its value can be obtained by calling the API for querying the domain name group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects). Constraints: N/A Range: N/A Default Value: N/A |
domain_set_name |
String |
Definition: Domain group name, which is used to specify the domain name group referenced by a rule. Its value can be obtained by calling the API for querying the domain name group list. Find the value in data.records.name (The period [.] is used to separate different levels of objects). Constraints: N/A Range: N/A Default Value: N/A |
ip_address |
Array of strings |
Definition: IP address list, which is used to specify the IP address list referenced by a rule. Constraints: N/A Range: N/A Default Value: N/A |
address_group |
Array of strings |
Definition: Address group ID list, which is used to specify the list of address group IDs referenced by a rule. Its value can be obtained by calling the API for querying the address group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects). In the search criteria, query_address_set_type must be set to 0 (user-defined address group). Constraints: N/A Range: N/A Default Value: N/A |
address_group_names |
Array of AddressGroupVO objects |
Definition: Address group name list. Constraints: N/A |
address_set_type |
Integer |
Definition: Address group type, which is used to specify the address group type referenced by a rule. Constraints: N/A Range: 0 (user-defined address group), 1 (WAF proxy IP address group), or 3 (NAT64 address group) Default Value: N/A |
Parameter |
Type |
Description |
---|---|---|
region_id |
String |
Definition: Region ID, which is used to specify the region where a rule is used. You can obtain the region ID by referring to Obtaining the Names and IDs of an Account, IAM User, Project, User Group, Region, and Agency. Constraints: N/A Range: N/A Default Value: N/A |
description_cn |
String |
Definition: Region description in Chinese, which is used only for China regions and can be obtained from the region information table. Constraints: N/A Range: N/A Default Value: N/A |
description_en |
String |
Definition: Region description in English, which is used only for non-China regions and can be obtained from the region information table. Constraints: N/A Range: N/A Default Value: N/A |
region_type |
Integer |
Definition: Area type Constraints: N/A Range: 0: country; 1: province; 2: continent Default Value: N/A |
Parameter |
Type |
Description |
---|---|---|
address_set_type |
Integer |
Address group type: 0 (user-defined address group), 1 (WAF proxy IP address group), 2 (DDoS back-to-source IP address group), or 3 (NAT64 address group). |
name |
String |
Name of an associated IP address group, which can be obtained by calling the API for querying the address group list. Find the value in data.records.name (The period [.] is used to separate different levels of objects). |
set_id |
String |
ID of an associated IP address group, which can be obtained by calling the API for querying the address group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects). |
Parameter |
Type |
Description |
---|---|---|
type |
Integer |
Service input type: 0 (manual), 1 (automatic). |
protocol |
Integer |
Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any). It cannot be left blank when type is set to 0 (manual), and can be left blank when type is set to 1 (automatic). |
protocols |
Array of integers |
Protocol list. Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any). It cannot be left blank when type is set to 0 (manual), and can be left blank when type is set to 1 (automatic). |
source_port |
String |
Source port. |
dest_port |
String |
Destination port. |
service_set_id |
String |
Service group ID. |
service_set_name |
String |
Service group name. |
custom_service |
Array of ServiceItem objects |
Custom service. |
service_group |
Array of strings |
Service group ID list. |
service_group_names |
Array of ServiceGroupVO objects |
Service group name list. |
service_set_type |
Integer |
Service group type: 0 (user-defined service group), 1 (common web service), 2 (common remote login and ping), or 3 (common database). |
Parameter |
Type |
Description |
---|---|---|
protocol |
Integer |
Definition: Protocol type, which is used to specify the network protocol of a rule. Constraints: If RuleServiceDto.type is set to 0, this parameter cannot be left blank. Range: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (Any). Default Value: N/A |
source_port |
String |
Definition: Source port, that is, the port of the session initiator. Constraints: N/A Range: N/A Default Value: N/A |
dest_port |
String |
Definition: Destination port, that is, the port of the session receiver. Constraints: N/A Range: N/A Default Value: N/A |
description |
String |
Definition: Service (protocol, source port, or destination port) member. Constraints: The value must be a string consisting of 0 to 255 characters. Range: N/A Default Value: N/A |
name |
String |
Definition: Service (protocol, source port, or destination port) member. Constraints: The value must be a string consisting of 0 to 255 characters. Range: N/A Default Value: N/A |
Parameter |
Type |
Description |
---|---|---|
name |
String |
Definition: Name of a service (protocol, source port, or destination port) group. Constraints: N/A Range: N/A Default Value: N/A |
protocols |
Array of integers |
Definition: Protocol List Constraints: N/A Range: Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (Any). Default Value: N/A |
service_set_type |
Integer |
Definition: Type of a service (protocol, source port, or destination port) group. Constraints: N/A Range: 0: custom service group; 1: predefined service group Default Value: N/A |
set_id |
String |
Definition: Service group ID, which can be obtained by calling the API for querying the service group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects). Constraints: N/A Range: N/A Default Value: N/A |
Parameter |
Type |
Description |
---|---|---|
tag_id |
String |
Definition: Rule ID Constraints: N/A Range: N/A Default Value: N/A |
tag_key |
String |
Definition: Rule tag key. Constraints: N/A Range: N/A Default Value: N/A |
tag_value |
String |
Definition: Rule tag value. Constraints: N/A Range: N/A Default Value: N/A |
Status code: 400
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error code. |
error_msg |
String |
Error description. |
Example Requests
Query data on the first page of the protected object e12bd2cd-ebfc-4af7-ad6f-ebe6da398029 whose project ID is 9d80d070b6d44942af73c9c3d38e0429, with limit set to 10.
Example URL: https://{Endpoint}/v1/9d80d070b6d44942af73c9c3d38e0429/acl-rules?object_id=e12bd2cd-ebfc-4af7-ad6f-ebe6da398029&limit=10&offset=0
Example Responses
Status code: 200
Return value for querying the rule list.
{ "data" : { "limit" : 10, "object_id" : "cfebd347-b655-4b84-b938-3c54317599b2", "offset" : 0, "records" : [ { "action_type" : 0, "address_type" : 0, "destination" : { "address" : "0.0.0.0/0", "address_type" : 0, "type" : 0 }, "direction" : 1, "long_connect_enable" : 0, "created_date" : "2024-02-27 04:01:17", "modified_date" : "2024-02-27 04:01:17", "last_open_time" : "2024-02-27 04:01:17", "description" : "description", "name" : "eip_ipv4_n_w_allow", "rule_id" : "ffe9af47-d893-483b-86e3-ee5242e8cb15", "order_id" : 1000000, "service" : { "dest_port" : "0", "protocol" : -1, "source_port" : "0", "type" : 0 }, "source" : { "address_set_id" : "48bfb09b-6f3a-4371-8ddb-05d5d7148bcc", "address_set_name" : "ip_group", "address_type" : 0, "type" : 1 }, "status" : 1, "type" : "0" } ], "total" : 1, "up_rules_count" : 0 } }
Status code: 400
Bad Request
{ "error_code" : "CFW.0020016", "error_msg" : "Incorrect instance status." }
SDK Sample Code
The SDK sample code is as follows.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
package com.huaweicloud.sdk.test; import com.huaweicloud.sdk.core.auth.ICredential; import com.huaweicloud.sdk.core.auth.BasicCredentials; import com.huaweicloud.sdk.core.exception.ConnectionException; import com.huaweicloud.sdk.core.exception.RequestTimeoutException; import com.huaweicloud.sdk.core.exception.ServiceResponseException; import com.huaweicloud.sdk.cfw.v1.region.CfwRegion; import com.huaweicloud.sdk.cfw.v1.*; import com.huaweicloud.sdk.cfw.v1.model.*; public class ListAclRulesSolution { public static void main(String[] args) { // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment String ak = System.getenv("CLOUD_SDK_AK"); String sk = System.getenv("CLOUD_SDK_SK"); String projectId = "{project_id}"; ICredential auth = new BasicCredentials() .withProjectId(projectId) .withAk(ak) .withSk(sk); CfwClient client = CfwClient.newBuilder() .withCredential(auth) .withRegion(CfwRegion.valueOf("<YOUR REGION>")) .build(); ListAclRulesRequest request = new ListAclRulesRequest(); try { ListAclRulesResponse response = client.listAclRules(request); System.out.println(response.toString()); } catch (ConnectionException e) { e.printStackTrace(); } catch (RequestTimeoutException e) { e.printStackTrace(); } catch (ServiceResponseException e) { e.printStackTrace(); System.out.println(e.getHttpStatusCode()); System.out.println(e.getRequestId()); System.out.println(e.getErrorCode()); System.out.println(e.getErrorMsg()); } } } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# coding: utf-8 import os from huaweicloudsdkcore.auth.credentials import BasicCredentials from huaweicloudsdkcfw.v1.region.cfw_region import CfwRegion from huaweicloudsdkcore.exceptions import exceptions from huaweicloudsdkcfw.v1 import * if __name__ == "__main__": # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment ak = os.environ["CLOUD_SDK_AK"] sk = os.environ["CLOUD_SDK_SK"] projectId = "{project_id}" credentials = BasicCredentials(ak, sk, projectId) client = CfwClient.new_builder() \ .with_credentials(credentials) \ .with_region(CfwRegion.value_of("<YOUR REGION>")) \ .build() try: request = ListAclRulesRequest() response = client.list_acl_rules(request) print(response) except exceptions.ClientRequestException as e: print(e.status_code) print(e.request_id) print(e.error_code) print(e.error_msg) |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
package main import ( "fmt" "github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic" cfw "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1" "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/model" region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/region" ) func main() { // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment ak := os.Getenv("CLOUD_SDK_AK") sk := os.Getenv("CLOUD_SDK_SK") projectId := "{project_id}" auth := basic.NewCredentialsBuilder(). WithAk(ak). WithSk(sk). WithProjectId(projectId). Build() client := cfw.NewCfwClient( cfw.CfwClientBuilder(). WithRegion(region.ValueOf("<YOUR REGION>")). WithCredential(auth). Build()) request := &model.ListAclRulesRequest{} response, err := client.ListAclRules(request) if err == nil { fmt.Printf("%+v\n", response) } else { fmt.Println(err) } } |
For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.
Status Codes
Status Code |
Description |
---|---|
200 |
Return value for querying the rule list. |
400 |
Bad Request |
401 |
Unauthorized: Request error. |
403 |
Forbidden: Access forbidden. |
404 |
Not Found: Web page not found. |
500 |
Internal Server Error |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot