Provisioning (Public Experimental)
This Public Experimental API gets information about un-provisioned changes to security policy items (rulesets, IP lists, security settings, labels and label groups, services, virtual services, and user groups). You can also find provisioning dependencies, delete unprovisioned security policy items, revert the last provisioned items, and check whether a security rule exists that allows communications between two workloads.
To provision security policy items and get information about one or more provisioned items, see "Provisioning – Public Stable".
Provisioning API Methods
Functionality | HTTP | URI |
|---|---|---|
Get the collection of modified ( |
|
|
Check whether a rule exists between two workloads that allow communication. |
|
|
Get the collection of all policy items that were modified in a specific version of a security policy. |
|
|
Delete all un-provisioned security policy item modifications (all un-provisioned |
|
|
Revert a specified list of pending uncommitted security policy items. This method allows you to select specific items to revert. |
|
|
Determine if a specific set of objects can be provisioned or if they depend on other objects that need to be provisioned. |
|
|
Used to see the policy impact before provisioning. This API is referencing |
|
|
Provisionable Policy Items
The following security policy items require provisioning before they can affect managed workloads (workloads with a VEN installed). The total sum of these policy items constitutes the security policy.
IP Lists: IP addresses, IP ranges, and CIDR blocks allowed to access managed workloads.
Label Groups: Labels can be managed in label groups.
Rulesets: Policy items that include labels and rules to define permitted communication between workloads and between groups.
Pairing Profiles: A Pairing Profile applies certain properties to workloads as they pair with the PCE, such as labels and workload policy states.
Security Settings: General network security settings, such as ICMP echo reply, allow or disable IPv6, and connectivity settings.
Services: Definitions or discovery of existing services on your workloads.
Virtual Servers: Allows rules that allow communication with workloads managed by a load balancer.
Virtual Services: A virtual service is a single service (a port/protocol set) that can be used directly in a rule as a single entity. Labels that represent multiple virtual services can also be used to write rules.
Enforcement Boundaries: By narrowing the scope for segmentation, enforcement boundaries facilitate the implementation of allow lists, enabling users to achieve a high level of system maintainability using a simple policy mode.
When the security policy is provisioned, the PCE recalculates any changes made to policy configurations and then transmits those changes to the VENs installed on the workloads.
Policy Provisioning States
Get All Items Pending Provisioning
This method gets a list of all modified policy items pending provisioning.
URI to Get All Policy Items Pending Provisioning
This API allows the user to view a list of all policy objects pending provisioning bucketed by type. The UI uses this to generate the "draft changes" page.
GET [api_version][org_href]/sec_policy/pending
Revert All Items Pending Provisioning
This method reverts (undoes) the current set of non-provisioned security policy modifications (all non-provisioned draft changes).
DELETE [api_version][org_href]/sec_policy/pending
Get Security Policy Dependencies
This public experimental API allows the user to determine a particular policy object's provisioning (or revert) dependencies. An object also buckets the response JSON and has the same schema change.
URI to Get Specific Security Policy Dependencies
POST /sec_policy/draft/dependencies
Get Rules Allowing Communication
This method gets a list of all rules that allow communication between two workloads (and other entities) for a specific version of a provisioned security policy.
By default, the maximum number returned on a GET collection with this API is 500.
Check for Rules Between Workloads
GET /api/v2/orgs/{org_id}/sec_policy/{pversion}/allowRevert a List of Items Pending Provisioning
This API allows the user to revert a subset of policy objects via the change_subset field. via the change_subset field.
The field selective_enforcement_rules was replaced with enforcement_boundaries.
Revert a Specific List of Items Pending Provisioning
PUT [api_version][org_href]/sec_policy/delete
Get Modified Items in a Provisioned Version
This method collects all modified policy items in a specific security policy version.
Every time the security policy is provisioned, it gets a version in the form of an HREF. You can obtain the HREF by getting all provisioned versions of your security policy. You can use that provision version HREF when calling this method.
URI to Get All Modified Items in a Specific Provisioned Version
GET [api_version][sec_policy_version_href]/modified_objects