DFW rules can be created, updated, and deleted using both the UI and API.

Rule Realization Status on UI

You can see the rule realization status for DFW and Gateway firewall policies by navigating to Security > Distributed Firewall or Security Gateway Firewall, and checking the rule realization status reported by transport nodes.

There are four possible values for the rule realization status:
  • Success
  • Error
  • In Progress
  • Unknown

Rule Realization Status Through APIs

If the rule was created and enforced at relevant nodes, the realization status can be checked by following Policy Manager APIs.

To check realization status for all the entities created in policy manager run the command: GET: https://<Policy Appliance IP>/policy/api/v1/infra/realized-state/realized-entitiesThe realized state of the object should be "REALIZED" and 'runtime_status' should be "SUCCESS"

For example, the query to check the realized state of <e2d4c010-96c8-11e9-8c0a-f7581ab92530> of security policy at the Policy manager level is <f96f27c0-92b8-11e9-96af-b5e746a259e7> is GET https://10.172.121.219/policy/api/v1/infra/realized-state/realized-entities?intent_path=/infra/domains/default/security-policies/f96f27c0-92b8-11e9-96af-b5e746a259e7/rules/e2d4c010-96c8-11e9-8c0a-f7581ab92530

{
"results": [
{
"extended_attributes": [],
"entity_type": "RealizedFirewallRule",
"intent_paths": [
"/infra/domains/default/security-policies/1-communication-560"
],
"resource_type": "GenericPolicyRealizedResource",
"id": "default.1-communication-560.3-communication-110",
"display_name": "default.1-communication-560.3-communication-110",
"description": "default.1-communication-560.3-communication-110",
"path": "/infra/realized-state/enforcement-points/default/firewalls/firewall-sections/default.1-communication-560/firewall-rules/default.1-communication-560.3-communication-110",
"relative_path": "default.1-communication-560.3-communication-110",
"parent_path": "/infra/realized-state/enforcement-points/default/firewalls/firewall-sections/default.1-communication-560",
"intent_reference": [],
"realization_specific_identifier": "1028",
"state": "REALIZED",  
"alarms": [],
"runtime_status": "IN_PROGRESS",
"_create_user": "system",
"_create_time": 1561673625030,
"_last_modified_user": "system",
"_last_modified_time": 1561674044534,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 6
}
],
"result_count": 1
}

To check the overall realized status of section of every rule in a section on the hypervisor run the command:GET https://<policy-mgr>/policy/api/v1/infra/realized-state/status?include_enforced_status=true&intent_path=<Security_policy_path>.

There are four possible values for the consolidated status:
  • Success
  • Error
  • In Progress
  • Unknown
Table 1. Consolidated Status
Transport Node 1 Overall Status Transport Node 2 Overall Status Consolidated Status
ERROR ERROR ERROR
ERROR IN_PROGRESS ERROR
ERROR UNKNOWN ERROR
IN_PROGRESS IN_PROGRESS IN_PROGRESS
IN_PROGRESS UNKNOWN IN_PROGRESS
SUCCESS SUCCESS SUCCESS
SUCCESS ERROR ERROR
SUCCESS IN_PROGRESS IN_PROGRESS
SUCCESS UNKNOWN UNKNOWN
UNKNOWN UNKNOWN UNKNOWN