DFW rules can be created, updated, and deleted using both the UI and API.
Rule Realization Status on UI
You can see the rule realization status for DFW and Gateway firewall policies by navigating to Security Gateway Firewall, and checking the rule realization status reported by transport nodes.
or- Success
- Error
- In Progress
- Unknown
Rule Realization Status Through APIs
If the rule was created and enforced at relevant nodes, the realization status can be checked by following Policy Manager APIs.
To check realization status for all the entities created in policy manager run the command: GET: https://<Policy Appliance IP>/policy/api/v1/infra/realized-state/realized-entities
The realized state of the object should be "REALIZED" and 'runtime_status' should be "SUCCESS"
For example, the query to check the realized state of <e2d4c010-96c8-11e9-8c0a-f7581ab92530>
of security policy at the Policy manager level is <f96f27c0-92b8-11e9-96af-b5e746a259e7> is
GET https://10.172.121.219/policy/api/v1/infra/realized-state/realized-entities?intent_path=/infra/domains/default/security-policies/f96f27c0-92b8-11e9-96af-b5e746a259e7/rules/e2d4c010-96c8-11e9-8c0a-f7581ab92530
{ "results": [ { "extended_attributes": [], "entity_type": "RealizedFirewallRule", "intent_paths": [ "/infra/domains/default/security-policies/1-communication-560" ], "resource_type": "GenericPolicyRealizedResource", "id": "default.1-communication-560.3-communication-110", "display_name": "default.1-communication-560.3-communication-110", "description": "default.1-communication-560.3-communication-110", "path": "/infra/realized-state/enforcement-points/default/firewalls/firewall-sections/default.1-communication-560/firewall-rules/default.1-communication-560.3-communication-110", "relative_path": "default.1-communication-560.3-communication-110", "parent_path": "/infra/realized-state/enforcement-points/default/firewalls/firewall-sections/default.1-communication-560", "intent_reference": [], "realization_specific_identifier": "1028", "state": "REALIZED", "alarms": [], "runtime_status": "IN_PROGRESS", "_create_user": "system", "_create_time": 1561673625030, "_last_modified_user": "system", "_last_modified_time": 1561674044534, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 6 } ], "result_count": 1 }
To check the overall realized status of section of every rule in a section on the hypervisor run the command:GET https://<policy-mgr>/policy/api/v1/infra/realized-state/status?include_enforced_status=true&intent_path=<Security_policy_path>
.
- Success
- Error
- In Progress
- Unknown
Transport Node 1 Overall Status | Transport Node 2 Overall Status | Consolidated Status |
---|---|---|
ERROR | ERROR | ERROR |
ERROR | IN_PROGRESS | ERROR |
ERROR | UNKNOWN | ERROR |
IN_PROGRESS | IN_PROGRESS | IN_PROGRESS |
IN_PROGRESS | UNKNOWN | IN_PROGRESS |
SUCCESS | SUCCESS | SUCCESS |
SUCCESS | ERROR | ERROR |
SUCCESS | IN_PROGRESS | IN_PROGRESS |
SUCCESS | UNKNOWN | UNKNOWN |
UNKNOWN | UNKNOWN | UNKNOWN |