可以使用 UI 和 API 创建、更新和删除 DFW 规则。
UI 上的规则实现状态
您可以查看 DFW 和网关防火墙策略的规则实现状态,方法是导航到或安全网关防火墙,然后检查传输节点报告的规则实现状态。
- 成功
- 错误
- 正在进行中
- 未知
通过 API 的规则实现状态
如果在相关节点上创建和实施了规则,可以通过以下 Policy Manager API 检查实现状态。
要检查在 Policy Manager 中创建的所有实体的实现状态,请运行以下命令:GET: https://<Policy Appliance IP>/policy/api/v1/infra/realized-state/realized-entities。对象的实现状态应该为“REALIZED”,“runtime_status”应该为“SUCCESS”。
例如,在 Policy Manager 级别检查安全策略的 <e2d4c010-96c8-11e9-8c0a-f7581ab92530> 实现状态的查询为 <f96f27c0-92b8-11e9-96af-b5e746a259e7> is GET https://10.172.121.219/policy/api/v1/infra/realized-state/realized-entities?intent_path=/infra/domains/default/security-policies/f96f27c0-92b8-11e9-96af-b5e746a259e7/rules/e2d4c010-96c8-11e9-8c0a-f7581ab92530
{
"results": [
{
"extended_attributes": [],
"entity_type": "RealizedFirewallRule",
"intent_paths": [
"/infra/domains/default/security-policies/1-communication-560"
],
"resource_type": "GenericPolicyRealizedResource",
"id": "default.1-communication-560.3-communication-110",
"display_name": "default.1-communication-560.3-communication-110",
"description": "default.1-communication-560.3-communication-110",
"path": "/infra/realized-state/enforcement-points/default/firewalls/firewall-sections/default.1-communication-560/firewall-rules/default.1-communication-560.3-communication-110",
"relative_path": "default.1-communication-560.3-communication-110",
"parent_path": "/infra/realized-state/enforcement-points/default/firewalls/firewall-sections/default.1-communication-560",
"intent_reference": [],
"realization_specific_identifier": "1028",
"state": "REALIZED",
"alarms": [],
"runtime_status": "IN_PROGRESS",
"_create_user": "system",
"_create_time": 1561673625030,
"_last_modified_user": "system",
"_last_modified_time": 1561674044534,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 6
}
],
"result_count": 1
}
要在 Hypervisor 上检查每个规则的某个部分的总体实现状态,请运行以下命令:GET https://<policy-mgr>/policy/api/v1/infra/realized-state/status?include_enforced_status=true&intent_path=<Security_policy_path>。
- 成功
- 错误
- 正在进行中
- 未知
| 传输节点 1 总体状态 | 传输节点 2 总体状态 | 合并状态 |
|---|---|---|
| ERROR | ERROR | ERROR |
| ERROR | IN_PROGRESS | ERROR |
| ERROR | UNKNOWN | ERROR |
| IN_PROGRESS | IN_PROGRESS | IN_PROGRESS |
| IN_PROGRESS | UNKNOWN | IN_PROGRESS |
| SUCCESS | SUCCESS | SUCCESS |
| SUCCESS | ERROR | ERROR |
| SUCCESS | IN_PROGRESS | IN_PROGRESS |
| SUCCESS | UNKNOWN | UNKNOWN |
| UNKNOWN | UNKNOWN | UNKNOWN |
