Skip to main content

REST APIs for 24.2.20 and 24.2.10

  • REST APIs for 24.2.20 and 24.2.10
  • Provisioning
  • Policy Update Mode

Policy Update Mode

This Public Experimental API controls when policy updates are applied to workloads.

Overview of Policy Update Mode

The PCE has two policy update options:

  • Adaptive: Apply policy changes as soon as you provision.

  • Static: Apply policy changes later, such as during a scheduled maintenance window.

By default, the PCE policy update mode is set to Adaptive, but you can configure Static policy update mode for specific sets of workloads identified by scopes. Workloads that share the same labels configured for static policy update scope receive policy changes from the PCE. Still, those changes will not be applied until a user or an orchestration system instructs the PCE to apply those changes.

Configuring static policy update mode requires defining a scope that contains one or more environment, application, or location and role labels. If a label type is not defined in the scope, that label type is interpreted as All. For example, if the policy update scope is

Application = Checking, Location = China,

The PCE interprets the scope as

Application = Checking, Location = China, Environment = All.

Methods for policy update

Functionality

HTTP

URI

Get the current policy update mode for your organization.

GET

[api_version][org_href]/sec_policy/draft/ firewall_settings

Change the policy update mode for your organization.

PUT

[api_version][org_href]/sec_policy/draft/ firewall_settings

Get Policy Update Mode

You can use this method to get your organization's current policy update mode settings, which is part of your PCE security settings. This method contains a variable (:pversion) that can be used to return the security settings with active (currently provisioned) or draft state for your organization.

URI To Get Policy Update Mode

GET [api_version][org_href]/sec_policy/draft/firewall_settings
Change Policy Update Mode

The Change Policy Update Mode sets your organization's draft policy update mode, which might include adding or removing a policy scope.

The draft state of your policy update mode can be modified, but not the currently active (provisioned) version. First, change to the draft policy update mode, and then provision those changes.

URI To Change Policy Update Mode

PUT [api_version][org_href]/sec_policy/draft/firewall_settings
Remove all Static Policy Scopes

To remove all static policy scopes, pass an empty JSON array:

PUT [api_version][org_href]/sec_policy/draft/firewall_settings { "static_policy_scopes": [] }

Note

The policy update mode is set to Adaptive when all static policy scopes are removed.

See also: