Skip to content
API Enriched

Suggest API endpoint protection rule.

Deprecated
POST
/api/config/namespaces/{namespace}/http_loadbalancers/{name}/api_endpoint_protection/suggestion
curl --request POST \
  --url https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/config/namespaces/example/http_loadbalancers/example/api_endpoint_protection/suggestion \
  --header 'Authorization: <Authorization>' \
  --header 'Content-Type: application/json' \
  --data '{ "method": "ANY", "name": "example", "namespace": "example", "path": "example" }'

Suggest API endpoint protection rule for a given path DEPRECATED. Use api_sec.rule_suggestion.rulesuggestionapi.getsuggestedapiendpointprotectionrule.

Examples of this operation.

Authorizations

Section titled “Authorizations”

Parameters

Section titled “Parameters”

Path Parameters

Section titled “Path Parameters”
namespace
required
string

Namespace Namespace of the App type for current request.

name
required
string

Name HTTP load balancer for which this API endpoint protection rule applied.

Request Bodyrequired

Section titled “Request Bodyrequired”
Media typeapplication/json
GetSuggestedAPIEndpointProtectionRuleReq

GET suggested API endpoint protection rule for a given path.

object
method
string
default: ANY
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
name
Name

HTTP load balancer for which this API endpoint protection rule applied.

string
>= 6 characters <= 1024 characters
namespace
Namespace

Namespace of the App type for current request.

string
>= 6 characters <= 1024 characters
path
Path

Path to apply the API endpoint protection to Required: YES.

string
<= 1024 characters

Responses

Section titled “Responses”

200

Section titled “200”

A successful response.

Media typeapplication/json
GetSuggestedAPIEndpointProtectionRuleRsp

GET suggested API endpoint protection rule for a given path.

object
found_existing_rule
object
rule
object
action
object
allow
object
deny
object
any_domain
object
api_endpoint_method
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
methods
methods

List of methods values to match against.

Array<string>
<= 16 items
Allowed values: ANY GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH COPY
api_endpoint_path
api endpoint path

The endpoint (path) of the request. Required: YES.

string
<= 1024 characters
client_matcher
object
any_client
object
any_ip
object
asn_list
object
as_numbers
as numbers

An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.

Array<integer>
>= 1 items <= 16 items
asn_matcher
object
asn_sets
asn_sets

A list of references to bgp_asn_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
client_selector
object
expressions
expressions

Expressions contains the Kubernetes style label expression for selections. Required: YES.

Array<string>
<= 1 items
ip_matcher
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
prefix_sets
prefix_sets

A list of references to ip_prefix_set objects.

Required: YES.

Array<object>
<= 4 items
ObjectRefType

This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)

object
kind
kind

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)

string
>= 12 characters <= 1024 characters
name
name

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.

string
>= 6 characters <= 1024 characters
namespace
namespace

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.

string
>= 6 characters <= 1024 characters
tenant
tenant

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.

string
>= 6 characters <= 1024 characters
uid
uid

When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.

string format: uuid
>= 36 characters <= 1024 characters
ip_prefix_list
object
invert_match
invert_matcher

Invert the match result.

boolean format: boolean
ip_prefixes
ip prefixes

List of IPv4 prefix strings.

Array<string>
<= 128 items
ip_threat_category_list
object
ip_threat_categories
IP Threat Categories

The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions

Required: YES.

Array<string>
<= 32 items
Allowed values: SPAM_SOURCES WINDOWS_EXPLOITS WEB_ATTACKS BOTNETS SCANNERS REPUTATION PHISHING PROXY MOBILE_THREATS TOR_PROXY DENIAL_OF_SERVICE NETWORK
tls_fingerprint_matcher
object
classes
classes

A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
Allowed values: TLS_FINGERPRINT_NONE ANY_MALICIOUS_FINGERPRINT ADWARE ADWIND DRIDEX GOOTKIT GOZI JBIFROST QUAKBOT RANSOMWARE TROLDESH TOFSEE TORRENTLOCKER TRICKBOT
exact_values
exact values

A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.

Array<string>
<= 16 items
excluded_values
excluded values

A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.

Array<string>
<= 32 items
metadata
object
description
description

Human readable description.

string
>= 21 characters <= 256 characters
name
name

This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.

string
>= 1 characters <= 1024 characters
request_matcher
object
cookie_matchers
cookie matchers

A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.

Array<object>
<= 16 items
CookieMatcherType

A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:

  • Presence or absence of the cookie
  • At least one of the values for the cookie in the request satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert Match of the expression defined.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-sensitive cookie name. Required: YES.

string
>= 6 characters <= 256 characters
headers
headers

A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.

Array<object>
<= 16 items
HeaderMatcherType

A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:

  • Presence or absence of the header in the input
  • At least one of the values for the header in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

A case-insensitive HTTP header name. Required: YES.

string
>= 6 characters <= 256 characters
jwt_claims
JWT claims

A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true. Note that this feature only works on LBs with JWT Validation feature enabled.

Array<object>
<= 16 items
JWTClaimMatcherType

A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:

  • Presence or absence of the JWT Claim in the input
  • At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
name
name

JWT claim name. Required: YES.

string
>= 6 characters <= 256 characters
query_params
query params

A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.

Array<object>
<= 16 items
QueryParameterMatcherType

A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:

  • Presence or absence of the query parameter in the input
  • At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
check_not_present
object
check_present
object
invert_matcher
invert_matcher

Invert the match result.

boolean format: boolean
item
object
exact_values
exact values

A list of exact values to match the input against.

Array<string>
<= 64 items
regex_values
regex values

A list of regular expressions to match the input against.

Array<string>
<= 16 items
transformers
transformers

An ordered list of transformers (starting from index 0) to be applied to the path before matching.

Array<string>
<= 9 items
Allowed values: LOWER_CASE UPPER_CASE BASE64_DECODE NORMALIZE_PATH REMOVE_WHITESPACE URL_DECODE TRIM_LEFT TRIM_RIGHT TRIM
key
key

A case-sensitive HTTP query parameter name. Required: YES.

string
>= 7 characters <= 256 characters
specific_domain
domain

Exclusive with [any_domain] The rule will apply for a specific domain. For example: api.example.com.

string
<= 128 characters
Example
{
  "rule": {
    "api_endpoint_method": {
      "methods": [
        "ANY"
      ]
    },
    "client_matcher": {
      "ip_threat_category_list": {
        "ip_threat_categories": [
          "SPAM_SOURCES"
        ]
      },
      "tls_fingerprint_matcher": {
        "classes": [
          "TLS_FINGERPRINT_NONE"
        ]
      }
    },
    "request_matcher": {
      "cookie_matchers": [
        {
          "item": {
            "transformers": [
              "LOWER_CASE"
            ]
          }
        }
      ],
      "headers": [
        {
          "item": {
            "transformers": [
              "LOWER_CASE"
            ]
          }
        }
      ],
      "jwt_claims": [
        {
          "item": {
            "transformers": [
              "LOWER_CASE"
            ]
          }
        }
      ],
      "query_params": [
        {
          "item": {
            "transformers": [
              "LOWER_CASE"
            ]
          }
        }
      ]
    }
  }
}

401

Section titled “401”

Returned when operation is not authorized.

Media typeapplication/json
string format: string
Examplegenerated
example

403

Section titled “403”

Returned when there is no permission to access resource.

Media typeapplication/json
string format: string
Examplegenerated
example

404

Section titled “404”

Returned when resource is not found.

Media typeapplication/json
string format: string
Examplegenerated
example

409

Section titled “409”

Returned when operation on resource is conflicting with current value.

Media typeapplication/json
string format: string
Examplegenerated
example

429

Section titled “429”

Returned when operation has been rejected as it is happening too frequently.

Media typeapplication/json
string format: string
Examplegenerated
example

500

Section titled “500”

Returned when server encountered an error in processing API.

Media typeapplication/json
string format: string
Examplegenerated
example

503

Section titled “503”

Returned when service is unavailable temporarily.

Media typeapplication/json
string format: string
Examplegenerated
example

504

Section titled “504”

Returned when server timed out processing request.

Media typeapplication/json
string format: string
Examplegenerated
example