Policy Quick Analysis
This endpoint can be used to find matching set of policies for any hypothetical flow against the analyzed/enforced polices in a root scope. For more details refer Quick Analysis
This API is only available to users with a minimum read access to root scope and requires app_policy_management capability associated with the API key.
POST /openapi/v1/policies/{rootScopeID}/quick_analysis
The query body consists of a JSON body with the following schema:
|
Name |
Type |
Description |
|---|---|---|
|
consumer_ip |
string |
IP Address of the client / consumer. |
|
provider_ip |
string |
IP Address of the server / provider. |
|
provider_port |
integer |
(optional) Provider Port, only relevant for TCP or UDP flows. |
|
protocol |
string |
Protocol of the flow, e.g. TCP. |
|
analysis_type |
string |
Analysis type can be either analyzed or enforced. Analysis type “analyzed” makes the flow decision by matching the flow against all the analyzed polices in the root scope. Analysis type “enforced” makes the flow decision by matching the flow against all enforced policies in the root scope. |
|
application_id |
string |
(optional) The ID of the primary workspace, always accompanied by the workspace ‘v’ version, if specified, makes the flow decision by using the policies from the specified version along with analyzed/enforced policies from other workspaces in the root scope. If this field is skipped, the flow decision is made by considering all the analyzed/enforced polices in the root scope. |
|
version |
integer |
(optional) The ‘v’ version of the workspace mentioned above. This must be specified if the application_id is specified and must be skipped otherwise. |
Sample request
The body of the request should be a JSON formatted query.
An example of a query body where the flow decision is based on all analyzed polices:
req_payload = {
"consumer_ip": "4.4.1.1",
"provider_ip": "4.4.2.1",
"provider_port": 9081,
"protocol": "TCP",
"analysis_type": "analyzed"
}
resp = restclient.post('/openapi/v1/policies/{rootScopeID}/quick_analysis', json_body=json.dumps(req_payload))
An example of a query body where the flow decision is based on the policies from the workspace's ‘v’ version along with the analyzed polices from all other workspaces in the root scope:
req_payload = {
"consumer_ip": "4.4.1.1",
"provider_ip": "4.4.2.1",
"provider_port": 9081,
"protocol": "TCP",
"analysis_type": "analyzed",
"application_id": "5e7e5f56497d4f0bc26c7bb3",
"version": 1
}
resp = restclient.post('/openapi/v1/policies/{rootScopeID}/quick_analysis', json_body=json.dumps(req_payload))
Sample response
The response is a JSON object in the body with the following properties:
|
Keys |
Values |
|---|---|
|
policy_decision |
The decision of the hypothetical flow whether is allowed or denied. |
|
outbound_policy |
The policy on the consumer thats allowing/denying the outgoing traffic |
|
inbound_policy |
The policy on the provider thats allowing/denying the incoming traffic |
{
"policy_decision": "ALLOW",
"outbound_policy": {
"policy_rank": "DEFAULT",
"start_port": 9082,
"l4_detail_id": "5e7e600f497d4f7341f4f6d0",
"src_filter_id": "5e7e600e497d4f7341f4f459",
"end_port": 9082,
"cluster_edge_id": "5e7e600f497d4f7341f4f6d1",
"dst_filter_id": "5e7d0efc497d4f44b6b09351",
"action": "ALLOW",
"protocol": "TCP",
"app_scope_id": "5e7e5f3a497d4f0bc26c7bb0"
},
"inbound_policy": {
"policy_rank": "DEFAULT",
"start_port": 9082,
"l4_detail_id": "5e7e600f497d4f7341f4f6d0",
"src_filter_id": "5e7e600e497d4f7341f4f459",
"end_port": 9082,
"cluster_edge_id": "5e7e600f497d4f7341f4f6d1",
"dst_filter_id": "5e7d0efc497d4f44b6b09351",
"action": "ALLOW",
"protocol": "TCP",
"app_scope_id": "5e7e5f3a497d4f0bc26c7bb0"
}
}