1 of 21 9/22/11 10:41 AM

Transcription

1 This document is a detailed reference guide that describes all the API operations for the CloudPassage. In addition, it provides sample requests, responses, and errors for the supported APIs. CloudPassage provides a collection of REST APIs which accept and return JSON-formatted data. CloudPassage s REST APIs provide access to resources via URI paths. To use a REST API, your application will make an HTTP request and parse the response. The request and response format are JSON and your methods will be the standard HTTP methods like GET, PUT, POST and DELETE. Because the REST API is based on open standards, you can use any web development language to access the API. API The s are version controlled. The current version of the is 1. The API version is independent of the CloudPassage Halo daemon release number. The version number of an API appears in its URI. For example, use this URI structure to request version 1 of the CloudPassage REST API: API Each call to a has to be authenticated using the customer s key. To authenticate the API call, include your API key in the x-cpauth-access field in the request header. This key may be found through the web user interface under: Settings > Site Administration > API Keys. Example: x-cpauth-access: cf04666d2d8fb834c65dc1fbd17qwert1 In case of an authentication error, a 401 (Unauthorized) HTTP response is returned. and HTTP Codes The CloudPassage REST API is served over HTTPS. To ensure data privacy unencrypted HTTP is not supported. Retrieving Resources with the HTTP GET Method You can retrieve a representation of a resource by GETting its URL. Possible GET Status Codes Code Status Explanation 200 OK The request was successful and the response body contains the representation requested. 401 Unauthorized The supplied credentials, if any, are not sufficient to access the resource. 404 Not Found Resource not found. 500 Server Error We couldn t return the representation due to an internal server error. Creating or Updating Resources with the HTTP POST and PUT Creating or updating a resource involves performing an HTTP PUT or HTTP POST to a resource URL. In the PUT or POST, you represent the properties of the object you wish to update as JSON objects. Be sure to set the HTTP Content-Type header to application/json for your requests if you are writing your own client. Possible POST or PUT Status Codes Code Status Explanation 204 No Content The request was successful. 201 Created The request was successful, we created a new resource and the response body contains the representation. 202 Accepted The request was successful, new resource was accepted for processing. 400 Bad Request The data given in the POST or PUT failed validation. Inspect the response body for details. 401 Unauthorized The supplied credentials, if any, are not sufficient to create or update the resource. 404 Not Found Resource not found. 500 Server Error We couldn t create or update the resource. Please try again. Deleting Resources with the HTTP DELETE Method To delete a resource make an HTTP DELETE request to the resource s URL. Not all CloudPassage REST API resources support DELETE operation. Possible DELETE Status Codes Code Status Explanation 204 No Content The request was successful; the resource was deleted. 1 of 21 9/22/11 10:41 AM

2 Code Status Explanation 401 Unauthorized The supplied credentials, if any, are not sufficient to delete the resource. 404 Not Found Resource not found. 500 Server Error We couldn t delete the resource. Please try again. Custom Error Messages Validation Errors In case of a validation error, a 422 (Unprocessable Entity) HTTP response will be returned. The response body will contain error details: Status: 422 "message" => "Validation Failed", "errors" => [ "code" : "taken", "field" : "name" ] Resource Not Found Errors In case of a resource not found error, a 404 (Not Found) HTTP response will be returned. The response body will contain error details: Status: 404 "resource" => "FirewallRule", "field" => "id", "value" => "3e74aaf e23f3442c031a719c" Server errors In case of a server error, a 500 (Internal Server Error) HTTP response will be returned. The response body will contain error details: Status: 500 "code" : 500, "message" : "Internal Server Error", "details" : <backtrace here> API Server Groups Object Representation Core server group fields id name tag policy_ids firewall_policy_id A unique string identifier for this server group. A unique name for this server group. Optional. A unique tag assigned to this server group. Tag is used to assign daemons to the group. Daemon started with the specific tag will be assigned to the group with that tag. Tag should start with a letter and contain only letters, numbers,. (dot), - (dash), and _ (underscore). An array of one or more configuration policy identifiers assigned to this server group. Optional Firewall policy identifier assigned to this server group. s present only in server group details cve_exception_ids Optional An array of common vulnerabilities and exposures exception identifiers. List server groups GET Search server groups that use specific configuration policy GET 2 of 21 9/22/11 10:41 AM

3 "groups": [ "url": " "firewall_policy_id": null, "exception_ids": [ "name": "Unassigned", "policy_ids": ["96cb9470a9b9012e0e56442c030d794d" "id": "1e9d5320a9b9012e0e53442c030d794d", "tag": null, "url": " "firewall_policy_id": null, "exception_ids": [ "name": "Retired", "policy_ids": ["96cb9470a9b9012e0e56442c030d794d" "id": "1ea83e60a9b9012e0e53442c030d794d", "tag": null, "url": " "firewall_policy_id": null, "exception_ids": [ "name": "Unretired", "policy_ids": ["96cb9470a9b9012e0e56442c030d794d" "id": "1ea85fd0a9b9012e0e53442c030d794d", "tag": null ] Get a single server group GET "group": "url": " "firewall_policy_id": null, "exception_ids": [ "name": "Unassigned", "policy_ids": ["96cb9470a9b9012e0e56442c030d794d" "id": "1e9d5320a9b9012e0e53442c030d794d", "tag": null Create a new server group POST "group": "firewall_policy_id": null, "name": "Load Balancers", "policy_ids": ["96cb9470a9b9012e0e56442c030d794d" "tag": "load_balancers" Status: 201 Location: "group": "firewall_policy_id": null, "cve_exception_ids": [ "tag": "load_balancers", "policy_ids": ["96cb9470a9b9012e0e56442c030d794d" "name": "Load Balancers", "url": " "id": "e04b92e0b61e012ec6e c01709" Update server group attributes PUT 3 of 21 9/22/11 10:41 AM

4 "group": "name": "Test Groups", "tag": "load_balancers" Assign a firewall policy to the server group PUT "group": "firewall_policy_id": "96cb9470a9b9012e0e56442c030d794c" To remove a firewall policy from the server group PUT "group": "firewall_policy_id": null Assign several configuration policies to the server group PUT "group": "policy_ids": ["96cb9470a9b9012e0e56442c030d794d", "96cb9470a9b9012e0e56442c030d794f"] Delete server group without any servers DELETE : Delete server group and move group s servers into Unassigned group DELETE : To list common vulnerabilities and exposures exception identifiers applied to a server group 4 of 21 9/22/11 10:41 AM

5 GET "group": "firewall_policy_id": null, "cve_exception_ids": ["302ed800b61a012ec6e c01709" "tag": "", "policy_ids": ["7bef46c072b1012ec c01709", "8883c860b0ce012ec6a c01709" "name": "Unassigned", "url": " "id": "8cdc2200b576012ec6d c01709" To list details of a common vulnerability and exposure exception identifier GET "cve_exception": "package_name": "bzip2.x86_64", "server_id": null, "expires_at": " T23:59:59Z", "package_version": "1.0.3", "created_at": " T16:14:12Z", "id": "302ed800b61a012ec6e c01709", "group_id": "8cdc2200b576012ec6d c01709" Servers Object Representation Core server fields id hostname state connecting_ip_address interfaces A unique identifier of the server. A calculated hostname of the server. A state of the server. Currently, only active servers are returned. The last reported IP address of the server. A list of reported network interfaces that are present on the server. List active servers in the group If a server is inactive or missing it will not be in the response. GET List active servers GET "servers": [ "hostname": "svm-rh55", "connecting_ip_address": " ", "interfaces": [ "ip_address": " ", "name": "eth1", "ip_address": " ", "name": "eth0" "state": "active", "url": " "id": " a8a6da1586c8aaeac10452", "hostname": "domu c-92-fc", "connecting_ip_address": " ", "interfaces": [ "ip_address": " ", 5 of 21 9/22/11 10:41 AM

6 ] "name": "eth0" "state": "active", "url": " "id": "a731945fa16309d945a205f9c37f8e67" List active servers that have specific user account GET GET "servers": [ "hostname": "svm-rh55", "accounts": [ "last_login_at": " T14:47:47Z", "uid": "500", "comment": "", "gid": "500", "home": "/home/bob", "username": "bob", "shell": "/bin/bash", "url": " "last_login_from": "c hsd1.md.comcast.net pts/0" "connecting_ip_address": " ", "interfaces": [ "ip_address": " ", "name": "eth1", "ip_address": " ", "name": "eth0" "state": "active", "url": " "id": " a8a6da1586c8aaeac10452" ] Move server into server group PUT "server" : "group_id" : "94a90ae e23f3442c031a719c" Remove server from a server group You must first pull the group_id for the unassigned group by using the following request: GET Then assign the server to the unassigned group id PUT "server" : "group_id" : "unassigned_group_id" List of server issues 6 of 21 9/22/11 10:41 AM

7 GET : "connecting_ip_address": " ", "id": " a8a6da1586c8aaeac10452", "hostname": "newhost.domain.com", "state": "active", "sca": "policies": [ "Policy For Servers" "critical_findings_count": 2, "status": "completed_with_errors", "findings": [ "critical": true, "details": [ "scan_status": "ok", "expected": "enforcing", "config_key": "SELINUX", "type": "configuration", "actual": "disabled", "target": "/etc/selinux/config", "status": "bad", "scan_status": "ok", "expected": "targeted", "config_key": "SELINUXTYPE", "type": "configuration", "actual": "targeted", "target": "/etc/selinux/config", "status": "good" "rule_name": "Enable SELinux", "status": "bad", "critical": true, "details": [ "scan_status": "ok", "expected": "/etc/issue", "config_key": "Banner", "type": "configuration", "actual": "/etc/issue.net", "target": "/etc/ssh/sshd_config", "status": "bad" "rule_name": "Enable a Warning Banner", "status": "bad", "critical": false, "details": [ "scan_status": "not_found", "expected": "SymLinksIfOwnerMatch", "config_key": "Options", "type": "configuration", "actual": null, "target": "/etc/httpd/conf/httpd.conf", "status": "indeterminate" "rule_name": "APACHE: Restrict Web Directory", "status": "indeterminate", "critical": false, "details": [ "scan_status": "not_found", "expected": "/chroot/apache", "config_key": "SecChrootDir", "type": "configuration", "actual": null, "target": "/etc/httpd/conf/httpd.conf", "status": "indeterminate" "rule_name": "APACHE: Run Apache in a chroot Jail if Possible", "status": "indeterminate", "critical": false, "details": [ "scan_status": "not_found", 7 of 21 9/22/11 10:41 AM

8 "expected": "speling_module modules/mod_speling.so", "config_key": "#LoadModule", "type": "configuration", "actual": null, "target": "/etc/httpd/conf/httpd.conf", "status": "indeterminate" "rule_name": "APACHE: URL Correction on Misspelled Entries", "status": "indeterminate" "non_critical_findings_count": 3, "svm": "critical_findings_count": 1, "status": "completed_clean", "findings": [ "critical": true, "cve_entries": [ "suppressed": false, "cve_entry": "CVE ", "suppressed": false, "cve_entry": "CVE " "package_version": "0.2", "status": "bad", "package_name": "ed.x86_64", "critical": false, "cve_entries": [ "suppressed": false, "cve_entry": "CVE ", "suppressed": false, "cve_entry": "CVE " "package_version": "1.11.4", "status": "bad", "package_name": "wget.x86_64" "non_critical_findings_count": 1 Configuration Policies Object Representation Core server fields id name description used_by A unique identifier of the configuration policy. A name given to the configuration policy. Optional. A description of the configuration policy. Read-only. A list of server group identifiers of server groups that use the configuration policy. List configuration policies GET : "policies": [ "used_by": [ "name": "AcmeCorp - AMI (Amazon)", "id": "7bbea00072b1012ec c01709" "description": "This configuration security policy has been configured for a default Amazon Linux distribution. "name": "AMI - Core OS Policy", "id": "7bcb0a0072b1012ec c01709", "used_by": [ "description": null, "name": "Basic Linux Gotchas Copy", "id": "a44c24a07da6012ec c01709" 8 of 21 9/22/11 10:41 AM

9 ] Server Accounts Object Representation Core server account fields username A username of the server account. uid A user id of the server account. gid A group id of the server account. home A home directory of the server account. shell A server s account shell. comment A comment for the server account. last_login_at The last time the server account logged on in UTC time (if available) last_login_from The last domain and port the account logged on from (if available) s present only in server account details home_exists groups last_password_change days_warn_before_password_expiration minimum_days_between_password_changes maximum_days_between_password_changes disabled_after_days_inactive days_since_disabled ssh_authorized_keys sudo_access Whether or not the server account s home directory exists or not Any groups the account belongs to (if any) When the account s password was last changed (if available) How soon the account is warned about password expiration (if available) The date before which the account s password may be changed (if available) The date before which the account s password must be changed (if available) How many days of inactivity before the account is disabled (if available) How many days since the account was disabled (if available) An array of any authorized SSH keys belonging to the account (if available) A list of sudo access rules for the account, both as a member of a group and as a user (if available) List server accounts GET Search server accounts by username or uid GET GET "accounts": [ "last_login_at": null, "uid": "3", "comment": "adm", "gid": "4", "home": "/var/adm", "username": "adm", "shell": "/sbin/nologin", "url": " "last_login_from": null, "last_login_at": null, "uid": "70", "comment": "Avahi daemon", "gid": "70", "home": "/", "username": "avahi", "shell": "/sbin/nologin", "url": " "last_login_from": null, "last_login_at": null, "uid": "100", "comment": "avahi-autoipd", "gid": "101", "home": "/var/lib/avahi-autoipd", "username": "avahi-autoipd", 9 of 21 9/22/11 10:41 AM

10 "shell": "/sbin/nologin", "url": " "last_login_from": null, "last_login_at": null, "uid": "1", "comment": "bin", "gid": "1", "home": "/bin", "username": "bin", "shell": "/sbin/nologin", "url": " "last_login_from": null... ] Get server account details GET : "account": "maximum_days_between_password_changes": 99999, "days_warn_before_password_expiration": 7, "last_login_at": " T14:47:47Z", "uid": "500", "disabled_after_days_inactive": null, "comment": "", "gid": "500", "home": "/home/bob", "groups": "wheel, bob", "home_exists": true, "days_since_disabled": null, "last_password_change": " ", "sudo_access": [ "as_group": [ ["%wheel ALL = (ALL) ALL"] ] "username": "bob", "ssh_authorized_keys": [ "type": "rsa", "comment": "bob@bobs-macbook-pro.local" "shell": "/bin/bash", "minimum_days_between_password_changes": 0, "url": " "ssh_acl": "rwx------", "last_login_from": "c hsd1.md.comcast.net pts/0" Create server account Creating a new server account is done asynchronously. On successful call 202 (Accepted) status will be returned with information about the created server command. POST "account": "username" : "bob", "comment" : "User Bob", "groups" : "wheel,users", "password" : "length" : 10, "include_special" : true, "include_numbers" : true, "include_uppercase" : false Status: 202 Location: "command" : id => "ac49ce6e e21a713ce62c039c", uri => " name => "Create Account", 10 of 21 9/22/11 10:41 AM

11 status => "queued", created_at => " T10:10:10Z", updated_at => " T10:10:10Z" Reset password for server account Reseting password for server account is done asynchronously. On successful call 202 (Accepted) status will be returned with information about the created server command. PUT "password" : "length" : 10, "include_special" : true, "include_numbers" : true, "include_uppercase" : false Status: 202 Location: "command" : id => "ac49ce6e e21a713ce62c039c", uri => " name => "Reset Password", status => "queued", created_at => " T10:10:10Z", updated_at => " T10:10:10Z" Disable server account Disabling server account is done asynchronously. On successful call 202 (Accepted) status will be returned with information about the created server command. PUT "account" : "active" : false Status: 202 Location: "command" : id => "ac49ce6e e21a713ce62c039c", uri => " name => "Disable Account", status => "queued", created_at => " T10:10:10Z", updated_at => " T10:10:10Z" Remove server account Removing a server account is done asynchronously. On successful call 202 (Accepted) status will be returned with information about the created server command. DELETE Status: 202 Location: "command" : id => "ac49ce6e e21a713ce62c039c", 11 of 21 9/22/11 10:41 AM

12 uri => " name => "Remove Account", status => "queued", created_at => " T10:10:10Z", updated_at => " T10:10:10Z" Server Commands Object Representation id name status created_at updated_at result A unique identifier of the server command. A name of the command. Get command details A status of the command. Possible values queued, pending, completed, failed. A timestamp when command was created. A timestamp when command was last updated. A result of the command execution once command is finished. GET "command" : "id" : "ac49ce6e e21a713ce62c039c", "uri" : " "name" : "Remove Account", "status: : "completed", "created_at" : " T10:10:10Z", "updated_at" : " T10:11:12Z", "result : "done" Firewall Policies Object Representation Core server account fields id name description used_by A unique identifier of the firewall policy. A unique name given to the firewall policy. Optional. A description of the firewall policy. Read-only. The identifiers and names of server groups that use the firewall policy. List firewall policies GET : "used_by": [ "name": "Group One", "id": "f5e1ada0a4c0012ec c01709" "description": "", "name": "SSH-Only", "url": " "id": "7ba8ebc072b1012ec c01709", "used_by": [ "description": "Firewall policy for the Load Balancer server group with connections to the Internet and to the "name": "Load Balancer", "url": " "id": "7ba8a00072b1012ec c01709", "used_by": [ "description": "Firewall policy for the Web-Apps server group with connections to the Load Balancers server gro 12 of 21 9/22/11 10:41 AM

13 ] "name": "Web-Apps", "url": " "id": "7ba8c5d072b1012ec c01709" Get firewall policy details including firewall rules GET : "firewall_policy" : "id" : "b1553ab e23f3442c031a719c", "url": " "name" : "policy one", "description" : "", "used_by" : [ "id" : "b6dd e23f3442c031a719c", "name" : "group one" "firewall_rules" : [ "id" : "d09ac7d e23f3442c031a719c", "url": " "chain" : "INPUT", "active" : true, "firewall_interface" : null, "firewall_source": "name": "any", "id": "649acdf06ac8012e23ce442c031a719c", "url": " "type": "FirewallZone", "ip_address": " /0", "firewall_service": "name": "smtp", "port": "25", "protocol": "tcp", "id": " ac8012e23ce442c031a719c", "url": " "connection_states" : "NEW, ESTABLISHED", "action" : "ACCEPT", "log" : false, "id" : "d63c5b e23f3442c031a719c", "url": " "chain" : "INPUT", "active" : true, "firewall_interface": "name": "eth0", "id": "649ce6e06ac8012e23ce442c031a719c", "url": " "firewall_source" : null, "firewall_service" : null, "connection_states" : null, "action" : "REJECT", "log" : true, "id" : "da80ec e23f3442c031a719c", "url": " "chain" : "OUTPUT", "active" : true, "firewall_interface" : null, "firewall_target" : null, "firewall_service" : null, "connection_states" : null, "action" : "ACCEPT", "log" : false ] Create new firewall policy POST 13 of 21 9/22/11 10:41 AM

14 "firewall_policy" : "name" : "policy one", "description" : "my new policy", "firewall_rules" : [ "chain" : "INPUT", "active" : true, "firewall_interface" : null, "firewall_source" : "c26c6a50b190012ec6b c01709", "firewall_service" : "7b6409a072b1012ec c01709", "connection_states" : "NEW, ESTABLISHED", "action" : "ACCEPT", "log" : false, "chain" : "INPUT", "active" : true, "firewall_interface" : "7b881ca072b1012ec c01709", "firewall_source" : null, "firewall_service" : null, "connection_states" : null, "action" : "REJECT", "log" : true, "chain" : "OUTPUT", "active" : true, "firewall_interface" : "7b881ca072b1012ec c01709", "firewall_destination" : null, "firewall_service" : null, "connection_states" : null, "action" : "ACCEPT", "log" : false ] Status: 201 Location: "firewall_policy": "used_by": [ "description": "my new policy", "firewall_rules": [ "firewall_service": "port": "53", "protocol": "TCP", "name": "dns AXFR", "url": " "id": "7b6409a072b1012ec c01709", "log": false, "active": true, "action": "ACCEPT", "chain": "INPUT", "url": " "id": "812d3bf0b27b012ec6c c01709", "connection_states": "NEW, ESTABLISHED", "log": true, "active": true, "firewall_interface": "name": "eth0", "url": " "id": "7b881ca072b1012ec c01709", "action": "REJECT", "chain": "INPUT", "url": " "id": "812f26a0b27b012ec6c c01709", "connection_states": null, "log": false, "active": true, "firewall_interface": "name": "eth0", "url": " "id": "7b881ca072b1012ec c01709", "action": "ACCEPT", "chain": "OUTPUT", "url": " "id": "81304d50b27b012ec6c c01709", "connection_states": null "name": "policy one", "url": " "id": "812b7500b27b012ec6c c01709" 14 of 21 9/22/11 10:41 AM

15 Update name or description for the firewall policy To update firewall rules within the policy use firewall rules API. PUT "firewall_policy" : "name" : "policy one" Delete firewall policy Deletes an existing firewall policy. If firewall policy is used by one or more server groups 422 error will be returned. DELETE Firewall Rules Object Representation Core firewall rule fields id chain active firewall_interface firewall_source firewall_target firewall_service connection_states action log A unique identifier of the firewall rule. Whether the firewall rule covers INPUT or OUTPUT connections. Allowed values are INPUT and OUTPUT. Whether the firewall rule is active or not. The specified firewall interface for this rule. Specify the ID of the interface you wish to use. The specified source/zone for an INPUT rule. Specify the ID and type of source you wish to use. Allowed values for type are FirewallZone or Group. The specified source/zone for an OUTPUT rule. Specify the ID and type of destination you wish to use. Allowed values for type are FirewallZone or Group. The specified firewall service for this rule. Specify the ID of the service you wish to use. The specified firewall connection state(s) fot this rule. NEW, RELATED, and ESTABLISHED are allowed. The specified action to take if this rule is matched. Allowed values are ACCEPT, DROP, and REJECT. Whether matches to this rule are logged or not. s present only in firewall rule details position The position order of the rule in the chain. List firewall rules in firewall policy GET "firewall_rules": [ "firewall_service": "port": "53", "protocol": "TCP", "name": "dns AXFR", "url": " "id": "7b6409a072b1012ec c01709", "log": false, "active": true, "action": "ACCEPT", "chain": "INPUT", 15 of 21 9/22/11 10:41 AM

16 "url": " "id": "812d3bf0b27b012ec6c c01709", "connection_states": "NEW, ESTABLISHED", "log": true, "active": true, "firewall_interface": "name": "eth0", "url": " "id": "7b881ca072b1012ec c01709", "action": "REJECT", "chain": "INPUT", "url": " "id": "812f26a0b27b012ec6c c01709", "connection_states": null, "log": false, "active": true, "firewall_interface": "name": "eth0", "url": " "id": "7b881ca072b1012ec c01709", "action": "ACCEPT", "chain": "OUTPUT", "url": " "id": "81304d50b27b012ec6c c01709", "connection_states": null ] Get firewall rule details GET "firewall_rule": "log": false, "active": true, "position": 1, "firewall_interface": "name": "eth0", "url": " "id": "7b881ca072b1012ec c01709", "action": "ACCEPT", "chain": "OUTPUT", "url": " "id": "81304d50b27b012ec6c c01709", "connection_states": null Add a new firewall rule to the firewall policy Note that when creating a firewall rule, the source or destination needs to specify whether the zone type is FirewallZone or Group. Position of the rule in the policy is determined by position value. Rules are numbered from 1 for each chain. To add new rule to the very end of the chain, set the value of the position attribute to last. POST "firewall_rule" : "chain" : "INPUT", "active" : true, "firewall_interface" : "7b881ca072b1012ec c01709", "firewall_service" : "7b6409a072b1012ec c01709", "connection_states" : "NEW, ESTABLISHED", "action" : "ACCEPT", "log" : false, "position": 4 Status: 201 Location: 16 of 21 9/22/11 10:41 AM

17 "firewall_rule": "firewall_service": "port": "53", "protocol": "TCP", "name": "dns AXFR", "url": " "id": "7b6409a072b1012ec c01709", "log": false, "active": true, "position": 4, "firewall_interface": "name": "eth0", "url": " "id": "7b881ca072b1012ec c01709", "action": "ACCEPT", "chain": "INPUT", "url": " "id": "99b71970b27c012ec6c c01709", "connection_states": "NEW, ESTABLISHED" Delete firewall rule DELETE Update firewall rule Note that when updating a firewall rule and specifying the source or destination, you also need to specify whether the zone type is FirewallZone or Group. To move rule to a new position specify new position. PUT "firewall_rule" : "firewall_interface" : "649cf9806ac8012e23ce442c031a719c", Move a firewall rule to a desired position Rules within a policy may be ordered. To see the current order execute the API call to list the details of the firewall policy. The rules will be listed in order. Positions accepted are whole numbers with 1 being the first position. Alternatively, you may use position : last for the rule to be moved to the last position. PUT "firewall_rule" : "position" : position Firewall Interfaces Object Representation id name A unique identifier of the firewall interface. A unique name given to the firewall interface. 17 of 21 9/22/11 10:41 AM

18 system Denotes whether the firewall interface is built-in/system or not. These interfaces can not be updated or deleted. List firewall interfaces GET "firewall_interfaces": [ "name": "eth0", "url": " "id": "5a9a36906ac7012ea3c c9f3", "name": "eth0:1", "url": " "id": "5a9a65806ac7012ea3c c9f3", "name": "eth0:15", "system": false, "url": " "id": "5a9b5b406ac7012ea3c c9f3" ] Get firewall interface details GET "firewall_interface": "name": "eth0:15", "system": false, "url": " "id": "5a9b5b406ac7012ea3c c9f3" Create a new firewall interface POST "firewall_interface" : "name" : "eth0:16" Status: 201 Location: "firewall_interface": "name": "eth0:16", "system": false, "url": " "id": "648e7d40ae4f012ea3f c9f3" Delete firewall interface DELETE Sample : Firewall Services Object Representation 18 of 21 9/22/11 10:41 AM

19 id name protocol port system A unique identifier of the firewall service. A unique name given to the firewall service. The specified protocol of the firewall service. TCP, UDP, and ICMP are allowed. The specified port(s) of the firewall service. Denotes whether the firewall service is built-in/system or not. System firewall services can not be updated or deleted. List firewall services GET "firewall_services": [ "port": "53", "protocol": "TCP", "name": "dns AXFR", "url": " "id": "5a8ce2e06ac7012ea3c c9f3", "port": "53", "protocol": "UDP", "name": "dns query", "url": " "id": "5a8cc0a06ac7012ea3c c9f3", "port": "5432", "protocol": "TCP", "name": "postgres", "system": false, "url": " "id": "5a8e66606ac7012ea3c c9f3" ] Get firewall service details GET "firewall_service": "port": "5432", "protocol": "TCP", "name": "postgres", "system": false, "url": " "id": "5a8e66606ac7012ea3c c9f3" Create a new firewall service POST "firewall_service" : "name" : "rails", "protocol" : "tcp", "port" : "3000" Status: 201 Location: "firewall_service": "port": "3000", "protocol": "TCP", "name": "rails", "system": false, "url": " 19 of 21 9/22/11 10:41 AM

20 "id": "d ae4e012ea3f c9f3" Delete firewall service DELETE Firewall Zones Object Representation id A unique identifier of the firewall zone. name A unique name given to the firewall zone. ip_address The specified IP address(es) of the firewall zone. system Denotes whether the firewall zone is built-in/system or not. These zones can not be updated or deleted. used_by Read-only. The list of firewall policies that use this firewall zone. List firewall zones GET "firewall_zones": [ "ip_address": " /0", "used_by": [ "name": "CentOS firewall policy", "id": "5ab5a3106ac7012ea3c c9f3", "name": "Drop everything in all directions policy", "id": "5ab8a7e06ac7012ea3c c9f3" "name": "any", "url": " "id": "5a935b306ac7012ea3c c9f3", "ip_address": " , ", "used_by": [ "name": "DevelopmentCo", "system": false, "url": " "id": "5a ac7012ea3c c9f3" ] Get firewall zone details GET "firewall_zone": "ip_address": " , ", "used_by": [ "name": "DevelopmentCo", "system": false, "url": " "id": "5a ac7012ea3c c9f3" Create a new firewall zone POST 20 of 21 9/22/11 10:41 AM

21 "firewall_zone" : "name" : "databases", "ip_address" : " , , " : Status: 201 Location: "firewall_zone": "ip_address": " , , ", "used_by": [ "name": "databases", "system": false, "url": " "id": "002736c0ae4b012ea3f c9f3" Clone a firewall zone To clone a firewall zone, first fetch the firewall zone details to clone, then create the new firewall zone by using the create firewall zone call, with the new name and IP address(es) details. Update firewall zone PUT "firewall_zone" : "ip_address" : " " : Delete firewall zone Only non-system firewall zones that are not used by firewall policies can be deleted. Attempting to delete a system firewall zone or a firewall zone that is used by firewall policies will result in 422 error. DELETE 21 of 21 9/22/11 10:41 AM