Rule Search
This Public Experimental method searches for rules across all rulesets. This method is especially useful when your organization has many rules organized in rulesets.
For example, your organization has 192,000 rules organized across 650 rulesets, and you need to know how many rules are applied for SNMP (UDP 161). You can’t easily find this information without using this method.
Note
Rule search concurrent requests are now increased to 12 searches on 2x2s and 4x2s.
Rule Search Methods
Functionality | HTTP | URI |
|---|---|---|
Create rule search | POST |
|
Rule Search exposes deny_rules and override_deny rules in the UI when you search for them in the Rule Search page.
For the changes in the UI, see Security Policy Guide, Policy Check and Rule Search.
Property Name | Type | Description | Required |
|---|---|---|---|
| Array of enums:
| Requested rule_types that should be searched for | No |
Rule Search Reference
This topic covers properties, parameters, and examples for rule search.
Parameters for Rule Search
Parameter | Description |
|---|---|
| Rule actors are all workloads ('ams') |
| Label URI required: |
| Label group URI required: |
| Workload URI required: |
|
required: |
|
required: |
| Virtual service URI required: |
| Name of Rule Set(URI of associated IP List required: |
Schema Changes in Release 25.2.0
- Schema changes for the following:
sec_policy_rule_search_providerssec_policy_rule_search_destinations
"container_workload": {+ "type": "object",+ "additionalProperties": false,+ "required": ["href"],+ "properties": {+ "href": {+ "description": "Container workload URI",+ "type": "string"+ }+ }+ },+ "kubernetes_workload": {+ "type": "object",+ "additionalProperties": false,+ "required": ["href"],+ "properties": {+ "href": {+ "description": "Kubernetes workload URI",+ "type": "string"+ }+ }+ }, ===================This schema has two new properties:
container_workloadandkubernetes_workload
allOf and two existing schemas:sec_policy_rule_search_post_response
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"additionalProperties": false,
"properties": {
"sec_rules": {
"description": "Array of allow rules",
"type": "array",
"items": {
"allOf": [
{
"$ref": "../common/sec_rules_get.schema.json"
},
{
"rule_set": {
"$ref": "../common/rule_set.schema.json"
}
}
]
}
},
"deny_rules": {
"description": "Array of deny rules",
"type": "array",
"items": {
"allOf": [
{
"$ref": "../common/deny_rules_get.schema.json"
},
{
"rule_set": {
"$ref": "../common/rule_set.schema.json"
}
}
]
}
},
"override_deny_rules": {
"description": "Array of override deny rules",
"type": "array",
"items": {
"allOf": [
{
"$ref": "../common/deny_rules_get.schema.json"
},
{
"rule_set": {
"$ref": "../common/rule_set.schema.json"
}
}
]
}
},
"ip_tables_rules": {
"type": "array",
"items": {
"allOf": [
{
"$ref": "../common/ip_tables_rules_get.schema.json"
},
{
"rule_set": {
"$ref": "../common/rule_set.schema.json"
}
}
]
}
}
}
}Parameter-based Rule Search
This endpoint is used to get all sec_rules, deny_rules, and override_deny_rules based on parameters. It was created to extend the response of the original allow endpoint and preserve compatibility with existing tools.
Policy Check
Functionality | HTTP | URI |
|---|---|---|
Get all rules, deny_rules, and override_deny rules that apply to providers and destinations. |
|
|
Parameters for Policy Check
Property | Required |
|---|---|
| Yes |
| Yes |
| No |
| No |
| No |
| No |
| No |
| No |
| No |
| No |
Schema for sec_policy_policy_check_get
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"additionalProperties": false,
"required": ["sec_rules", "deny_rules", "override_deny_rules"],
"properties": {
"sec_rules": {
"description": "Array of allow rules",
"type": "array",
"items": {
"allOf": [
{ "$ref": "../common/sec_rules_get.schema.json" },
{ "rule_set": { "$ref": "../common/rule_set.schema.json" } }
]
}
},
"deny_rules": {
"description": "Array of deny rules",
"type": "array",
"items": {
"allOf": [
{ "$ref": "../common/deny_rules_get.schema.json" },
{ "rule_set": { "$ref": "../common/rule_set.schema.json" } }
]
}
},
"override_deny_rules": {
"description": "Array of override deny rules",
"type": "array",
"items": {
"allOf": [
{ "$ref": "../common/deny_rules_get.schema.json" },
{ "rule_set": { "$ref": "../common/rule_set.schema.json" } }
]
}
}
}Response Example for sec_rules
{
"sec_rules": [
{
"href": "/orgs/12346/sec_policy/draft/rule_sets/39024006/sec_rules/39024014",
"created_at": "2024-09-27T14:05:58.245Z",
"updated_at": "2024-09-27T14:05:58.271Z",
"deleted_at": nil,
"created_by": {
"href": "/users/0"
},
"updated_by": {
"href": "/users/0"
},
"deleted_by": nil,
"update_type": "create",
"description": nil,
"enabled": true,
"providers": [
{
"ip_list": {
"href": "/orgs/12346/sec_policy/draft/ip_lists/39024003",
"created_at": "2024-09-27T14:05:50.537Z",
"updated_at": "2024-09-27T14:05:50.548Z",
"deleted_at": nil,
"created_by": {
"href": "/users/0"
},
"updated_by": {
"href": "/users/0"
},
"deleted_by": nil,
"update_type": nil,
"name": "Any (0.0.0.0/0 and ::/0)"
}
}
{
"label": {
"href": "/orgs/12346/labels/1058977347",
"key": "app",
"value": "destinationApp"
},
"exclusion": false
}
],
"destinations": [
{
"label": {
"href": "/orgs/12346/labels/1058977347",
"key": "app",
"value": "destinationApp"
},
"exclusion": false
}
],
"consuming_security_principals": [],
"sec_connect": false,
"stateless": false,
"machine_auth": false,
"unscoped_destinations": false,
"network_type": "brn",
"use_workload_subnets": [],
"ingress_services": [
{
"port": 3306,
"proto": 6
}
],
"egress_services": [],
"resolve_labels_as": {
"providers": [
"workloads"
],
"destinations": [
"workloads"
]
}
"rule_set": {
"href": "/orgs/12346/sec_policy/draft/rule_sets/39024006",
"created_at": "2025-01-22T09:43:31.326Z",
"updated_at": "2025-01-22T09:43:31.393Z",
"deleted_at": nil,
"created_by": {
"href": "/users/0"
` },
"updated_by": {
"href": "/users/0"
},
"deleted_by": nil,
"update_type": "create",
"name": "Test rule",
"enabled": true,
"scopes": [
[]
],
"caps": [
"write",
"provision"
],
"update_label": "create"
}
}
],
"deny_rules": [
======================
], "override_deny_rules": [
=======================================