firewall#

The following methods allow for interaction with the ZIA Firewall Policies API endpoints.

Methods are accessible via zia.firewall

class FirewallPolicyAPI#
add_ip_destination_group(name, **kwargs)#

Adds a new IP Destination Group.

Parameters:

  • name (str) – The name of the IP Destination Group.

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • type (str) – Destination IP group type. Allowed values are DSTN_IP and DSTN_FQDN.

  • addresses (list) – Destination IP addresses or FQDNs within the group.

  • description (str) – Additional information about the destination IP group.

  • ip_categories (list) – Destination IP address URL categories.

  • countries (list) – Destination IP address counties.

Returns:

The newly created IP Destination Group resource record.

Return type:

Box

Examples

Add a Destination IP Group with IP addresses:

>>> zia.firewall.add_ip_destination_group(name='Destination Group - IP',
...    addresses=['203.0.113.0/25', '203.0.113.131'],
...    type='DSTN_IP')

Add a Destination IP Group with FQDN:

>>> zia.firewall.add_ip_destination_group(name='Destination Group - FQDN',
...    description='Covers domains for Example Inc.',
...    addresses=['example.com', 'example.edu'],
...    type='DSTN_FQDN')

Add a Destionation IP Group for the US:

>>> zia.firewall.add_ip_destination_group(name='Destination Group - US',
...    description='Covers the US',
...    countries=['COUNTRY_US'])
add_ip_source_group(name, ip_addresses, description=None)#

Adds a new IP Source Group.

Parameters:

  • name (str) – The name of the IP Source Group.

  • ip_addresses (str) – The list of IP addresses for the IP Source Group.

  • description (str) – Additional information for the IP Source Group.

Returns:

The new IP Source Group resource record.

Return type:

Box

Examples

Add a new IP Source Group:

>>> zia.firewall.add_ip_source_group(name='My IP Source Group',
...    ip_addresses=['198.51.100.0/24', '192.0.2.1'],
...    description='Contains the IP addresses for the local network.')
add_network_service(name, ports=None, **kwargs)#

Adds a new Network Service.

Parameters:

  • name – The name of the Network Service

  • ports (list) –

    A list of port protocol tuples. Tuples must follow the convention src/dest, protocol, start port, end port. If this is a single port and not a port range then end port can be omitted. E.g.

    ('src', 'tcp', '49152', '65535'),
('dest', 'tcp', '22),
('dest', 'tcp', '9010', '9012'),
('dest', 'udp', '9010', '9012')

  • **kwargs – Optional keyword args.

Keyword Arguments:

description (str) – Additional information on the Network Service.

Returns:

The newly created Network Service resource record.

Return type:

Box

Examples

Add Network Service for Microsoft Exchange:

>>> zia.firewall.add_network_service('MS LDAP',
...    description='Covers all ports used by MS LDAP',
...    ports=[
...        ('dest', 'tcp', '389'),
...        ('dest', 'udp', '389'),
...        ('dest', 'tcp', '636'),
...        ('dest', 'tcp', '3268', '3269')])

Add Network Service designed to match inbound SSH traffic:

>>> zia.firewall.add_network_service('Inbound SSH',
...    description='Inbound SSH',
...    ports=[
...        ('src', 'tcp', '22'),
...        ('dest', 'tcp', '1024', '65535')])
add_network_svc_group(name, service_ids, description=None)#

Adds a new Network Service Group.

Parameters:

  • name (str) – The name of the Network Service Group.

  • service_ids (list) – A list of Network Service IDs to add to the group.

  • description (str) – Additional information about the Network Service Group.

Returns:

The newly created Network Service Group resource record.

Return type:

Box

Examples

Add a new Network Service Group:

>>> zia.firewall.add_network_svc_group(name='New Network Service Group',
...    service_ids=['159143', '159144', '159145'],
...    description='Group for the new Network Service.')
add_rule(name, action, **kwargs)#

Adds a new firewall filter rule.

Parameters:

  • name (str) – The name of the filter rule. 31 char limit.

  • action (str) – The action for the filter rule.

  • **kwargs – Optional keyword args

Keyword Arguments:

  • order (str) – The order of the rule, defaults to adding rule to bottom of list.

  • rank (str) – The admin rank of the rule.

  • state (str) – The rule state. Accepted values are ‘ENABLED’ or ‘DISABLED’.

  • description (str) – Additional information about the rule

  • src_ips (list) – The source IPs that this rule applies to. Individual IP addresses or CIDR ranges accepted.

  • dest_addresses (list) – The destination IP addresses that this rule applies to. Individual IP addresses or

  • accepted. (CIDR ranges) –

  • dest_ip_categories (list) – The IP address categories that this rule applies to.

  • dest_countries (list) – The destination countries that this rule applies to.

  • enable_full_logging (bool) – Enables full logging if True.

  • nw_applications (list) – The network service applications that this rule applies to.

  • app_services (list) – The IDs for the application services that this rule applies to.

  • app_service_groups (list) – The IDs for the application service groups that this rule applies to.

  • departments (list) – The IDs for the departments that this rule applies to.

  • dest_ip_groups (list) – The IDs for the destination IP groups that this rule applies to.

  • groups (list) – The IDs for the groups that this rule applies to.

  • labels (list) – The IDs for the labels that this rule applies to.

  • locations (list) – The IDs for the locations that this rule applies to.

  • location_groups (list) – The IDs for the location groups that this rule applies to.

  • nw_application_groups (list) – The IDs for the network application groups that this rule applies to.

  • nw_services (list) – The IDs for the network services that this rule applies to.

  • nw_service_groups (list) – The IDs for the network service groups that this rule applies to.

  • time_windows (list) – The IDs for the time windows that this rule applies to.

  • users (list) – The IDs for the users that this rule applies to.

Returns:

The new firewall filter rule resource record.

Return type:

Box

Examples

Add a rule to allow all traffic to Google DNS (admin ranking is enabled):

>>> zia.firewall.add_rule(rank='7',
...    dest_addresses=['8.8.8.8', '8.8.4.4'],
...    name='ALLOW_ANY_TO_GOOG-DNS',
...    action='ALLOW'
...    description='TT#1965432122')

Add a rule to block all traffic to Quad9 DNS for all users in Finance Group and send an ICMP error:

>>> zia.firewall.add_rule(rank='7',
...    dest_addresses=['9.9.9.9'],
...    name='BLOCK_GROUP-FIN_TO_Q9-DNS',
...    action='BLOCK_ICMP'
...    groups=['95016183']
...    description='TT#1965432122')
delete_ip_destination_group(group_id)#

Deletes the specified IP Destination Group.

Parameters:

group_id (str) – The unique ID of the IP Destination Group.

Returns:

The status code of the operation.

Return type:

int

Examples

>>> zia.firewall.delete_ip_destination_group('287342')
delete_ip_source_group(group_id)#

Deletes an IP Source Group.

Parameters:

group_id (str) – The unique ID of the IP Source Group to be deleted.

Returns:

The status code for the operation.

Return type:

int

Examples

>>> zia.firewall.delete_ip_source_group('762398')
delete_network_service(service_id)#

Deletes the specified Network Service.

Parameters:

service_id (str) – The unique ID for the Network Service.

Returns:

The status code for the operation.

Return type:

int

Examples

>>> zia.firewall.delete_network_service('762398')
delete_network_svc_group(group_id)#

Deletes the specified Network Service Group.

Parameters:

group_id (str) – The unique identifier for the Network Service Group.

Returns:

The response code for the operation.

Return type:

int

Examples

>>> zia.firewall.delete_network_svc_group('762398')
delete_rule(rule_id)#

Deletes the specified firewall filter rule.

Parameters:

rule_id (str) – The unique identifier for the firewall filter rule.

Returns:

The status code for the operation.

Return type:

int

Examples

>>> zia.firewall.delete_rule('278454')
get_ip_destination_group(group_id)#

Returns information on the specified IP Destination Group.

Parameters:

group_id (str) – The unique ID of the IP Destination Group.

Returns:

The IP Destination Group resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_ip_destination_group('287342'))
get_ip_source_group(group_id)#

Returns information for the specified IP Source Group.

Parameters:

group_id (str) – The unique ID of the IP Source Group.

Returns:

The IP Source Group resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_ip_source_group('762398')
get_network_app(app_id)#

Returns information for the specified Network Application.

Parameters:

app_id (str) – The unique ID for the Network Application.

Returns:

The Network Application resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_network_app('762398'))
get_network_app_group(group_id)#

Returns information for the specified Network Application Group.

Parameters:

group_id (str) – The unique ID for the Network Application Group.

Returns:

The Network Application Group resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_network_app_group('762398'))
get_network_service(service_id)#

Returns information for the specified Network Service.

Parameters:

service_id (str) – The unique ID for the Network Service.

Returns:

The Network Service resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_network_service('762398'))
get_network_svc_group(group_id)#

Returns information for the specified Network Service Group.

Parameters:

group_id (str) – The unique ID for the Network Service Group.

Returns:

The Network Service Group resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_network_svc_group('762398'))
get_rule(rule_id)#

Returns information for the specified firewall filter rule.

Parameters:

rule_id (str) – The unique identifier for the firewall filter rule.

Returns:

The resource record for the firewall filter rule.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_rule('431233'))
list_ip_destination_groups(exclude_type=None)#

Returns a list of IP Destination Groups.

Parameters:

exclude_type (str) – Exclude all groups that match the specified IP destination group’s type. Accepted values are: DSTN_IP, DSTN_FQDN, DSTN_DOMAIN and DSTN_OTHER.

Returns:

List of IP Destination Group records.

Return type:

BoxList

Examples

>>> for group in zia.firewall.list_ip_destination_groups():
...    pprint(group)
list_ip_source_groups(search=None)#

Returns a list of IP Source Groups.

Parameters:

search (str) – The search string used to match against a group’s name or description attributes.

Returns:

List of IP Source Group records.

Return type:

BoxList

Examples

List all IP Source Groups:

>>> for group in zia.firewall.list_ip_source_groups():
...    pprint(group)

Use search parameter to find IP Source Groups with fiji in the name:

>>> for group in zia.firewall.list_ip_source_groups('fiji'):
...    pprint(group)
list_network_app_groups(search=None)#

Returns a list of all Network Application Groups.

Returns:

The list of Network Application Group resource records.

Return type:

BoxList

Examples

>>> for group in zia.firewall.list_network_app_groups():
...    pprint(group)
list_network_apps(search=None)#

Returns a list of all predefined Network Applications.

Parameters:

search (str) – The search string used to match against a network application’s description attribute.

Returns:

The list of Network Application resource records.

Return type:

BoxList

Examples

>>> for app in zia.firewall.list_network_apps():
...    pprint(app)
list_network_services(search=None, protocol=None)#

Returns a list of all Network Services.

The search parameters find matching values within the “name” or “description” attributes.

Parameters:

  • search (str) – The search string used to match against a service’s name or description attributes.

  • protocol (str) – Filter based on the network service protocol. Accepted values are ICMP, TCP, UDP, GRE, ESP and OTHER.

Returns:

The list of Network Service resource records.

Return type:

BoxList

Examples

>>> for service in zia.firewall.list_network_services():
...    pprint(service)
list_network_svc_groups(search=None)#

Returns a list of Network Service Groups.

Parameters:

search (str) – The search string used to match against a group’s name or description attributes.

Returns:

List of Network Service Group resource records.

Return type:

BoxList

Examples

>>> for group in zia.firewall.list_network_svc_groups():
...    pprint(group)
list_rules()#

Returns a list of all firewall filter rules.

Returns:

The list of firewall filter rules

Return type:

BoxList

Examples

>>> for rule in zia.firewall.list_rules():
...    pprint(rule)
update_ip_destination_group(group_id, **kwargs)#

Updates the specified IP Destination Group.

Parameters:

  • group_id (str) – The unique ID of the IP Destination Group.

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • name (str) – The name of the IP Destination Group.

  • addresses (list) – Destination IP addresses or FQDNs within the group.

  • description (str) – Additional information about the IP Destination Group.

  • ip_categories (list) – Destination IP address URL categories.

  • countries (list) – Destination IP address countries.

Returns:

The updated IP Destination Group resource record.

Return type:

Box

Examples

Update the name of an IP Destination Group:

>>> zia.firewall.update_ip_destination_group('9032667',
...    name="Updated IP Destination Group")

Update the description and FQDNs for an IP Destination Group:

>>> zia.firewall.update_ip_destination_group('9032668',
...    description="Tech News",
...    addresses=['arstechnica.com', 'slashdot.org'])
update_ip_source_group(group_id, **kwargs)#

Update an IP Source Group.

This method supports updating individual fields in the IP Source Group resource record.

Parameters:

  • group_id (str) – The unique ID for the IP Source Group to update.

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • name (str) – The name of the IP Source Group.

  • ip_addresses (list) – The list of IP addresses for the IP Source Group.

  • description (str) – Additional information for the IP Source Group.

Returns:

The updated IP Source Group resource record.

Return type:

Box

Examples

Update the name of an IP Source Group:

>>> zia.firewall.update_ip_source_group('9032674',
...    name='Updated Name')

Update the description and IP addresses of an IP Source Group:

>>> zia.firewall.update_ip_source_group('9032674',
...    description='Local subnets, updated on 3 JUL 21'
...    ip_addresses=['192.0.2.0/29', '192.0.2.8/29', '192.0.2.128/25'])
update_network_service(service_id, ports=None, **kwargs)#

Updates the specified Network Service.

If ports aren’t provided then no changes will be made to the ports already defined. If ports are provided then the existing ports will be overwritten.

Parameters:

  • service_id (str) – The unique ID for the Network Service.

  • ports (list) –

    A list of port protocol tuples. Tuples must follow the convention src/dest, protocol, start port, end port. If this is a single port and not a port range then end port can be omitted. E.g.

    ('src', 'tcp', '49152', '65535'),
('dest', 'tcp', '22),
('dest', 'tcp', '9010', '9012'),
('dest', 'udp', '9010', '9012')

  • **kwargs – Optional keyword args.

Keyword Arguments:

description (str) – Additional information on the Network Service.

Returns:

The newly created Network Service resource record.

Return type:

Box

Examples

Update the name and description for a Network Service:

>>> zia.firewall.update_network_service('959093',
...    name='MS Exchange',
...    description='All ports related to the MS Exchange service.')

Updates the ports for a Network Service, leaving other fields intact:

>>> zia.firewall.add_network_service('959093',
...    ports=[
...        ('dest', 'tcp', '500', '510')])
update_rule(rule_id, **kwargs)#

Updates an existing firewall filter rule.

Parameters:

  • rule_id (str) – The unique ID for the rule that is being updated.

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • order (str) – The order of the rule, defaults to adding rule to bottom of list.

  • rank (str) – The admin rank of the rule.

  • state (str) – The rule state. Accepted values are ‘ENABLED’ or ‘DISABLED’.

  • description (str) – Additional information about the rule

  • src_ips (list) – The source IPs that this rule applies to. Individual IP addresses or CIDR ranges accepted.

  • dest_addresses (list) – The destination IP addresses that this rule applies to. Individual IP addresses or

  • accepted. (CIDR ranges) –

  • dest_ip_categories (list) – The IP address categories that this rule applies to.

  • dest_countries (list) – The destination countries that this rule applies to.

  • enable_full_logging (bool) – Enables full logging if True.

  • nw_applications (list) – The network service applications that this rule applies to.

  • app_services (list) – The IDs for the application services that this rule applies to.

  • app_service_groups (list) – The IDs for the application service groups that this rule applies to.

  • departments (list) – The IDs for the departments that this rule applies to.

  • dest_ip_groups (list) – The IDs for the destination IP groups that this rule applies to.

  • groups (list) – The IDs for the groups that this rule applies to.

  • labels (list) – The IDs for the labels that this rule applies to.

  • locations (list) – The IDs for the locations that this rule applies to.

  • location_groups (list) – The IDs for the location groups that this rule applies to.

  • nw_application_groups (list) – The IDs for the network application groups that this rule applies to.

  • nw_services (list) – The IDs for the network services that this rule applies to.

  • nw_service_groups (list) – The IDs for the network service groups that this rule applies to.

  • time_windows (list) – The IDs for the time windows that this rule applies to.

  • users (list) – The IDs for the users that this rule applies to.

Returns:

The updated firewall filter rule resource record.

Return type:

Box

Examples

Update the destination IP addresses for a rule:

>>> zia.firewall.update_rule('976598',
...    dest_addresses=['1.1.1.1'],
...    description="TT#1965232865")

Update a rule to enable full logging:

>>> zia.firewall.update_rule('976597',
...    enable_full_logging=True,
...    description="TT#1965232866")