Replace Service Policy.
const url = 'https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/config/namespaces/example/service_policys/example';const options = { method: 'PUT', headers: {Authorization: '<Authorization>', 'Content-Type': 'application/json'}, body: '{"metadata":{"annotations":{},"description":"example","disable":true,"labels":{},"name":"example","namespace":"example"},"spec":{"allow_all_requests":{},"allow_list":{"asn_list":{"as_numbers":[1]},"asn_set":[{"name":"example","namespace":"example"}],"country_list":["COUNTRY_NONE"],"default_action_allow":{},"default_action_deny":{},"default_action_next_policy":{},"ip_prefix_set":[{"name":"example","namespace":"example"}],"prefix_list":{"prefixes":["example"]},"tls_fingerprint_classes":["TLS_FINGERPRINT_NONE"],"tls_fingerprint_values":["example"]},"any_server":{},"deny_all_requests":{},"deny_list":{"asn_list":{"as_numbers":[1]},"asn_set":[{"name":"example","namespace":"example"}],"country_list":["COUNTRY_NONE"],"default_action_allow":{},"default_action_deny":{},"default_action_next_policy":{},"ip_prefix_set":[{"name":"example","namespace":"example"}],"prefix_list":{"prefixes":["example"]},"tls_fingerprint_classes":["TLS_FINGERPRINT_NONE"],"tls_fingerprint_values":["example"]},"legacy_rule_list":{"rules":[{"name":"example","namespace":"example"}]},"rule_list":{"rules":[{"metadata":{"description":"example","name":"example"},"spec":{"action":"DENY","any_asn":{},"any_client":{},"any_ip":{},"api_group_matcher":{"invert_matcher":true,"match":["example"]},"arg_matchers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"asn_list":{"as_numbers":[1]},"asn_matcher":{"asn_sets":[{"name":"example","namespace":"example"}]},"body_matcher":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"bot_action":{"bot_skip_processing":{},"none":{}},"client_name":"example","client_name_matcher":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"client_selector":{"expressions":["example"]},"cookie_matchers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"domain_matcher":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"expiration_timestamp":"2026-04-15T12:00:00Z","headers":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"http_method":{"invert_matcher":true,"methods":["ANY"]},"ip_matcher":{"invert_matcher":true,"prefix_sets":[{"name":"example","namespace":"example"}]},"ip_prefix_list":{"invert_match":true,"ip_prefixes":["example"]},"ip_threat_category_list":{"ip_threat_categories":["SPAM_SOURCES"]},"ja4_tls_fingerprint":{"exact_values":["example"]},"jwt_claims":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"name":"example"}],"label_matcher":{"keys":["example"]},"mum_action":{"default":{},"skip_processing":{}},"path":{"exact_values":["example"],"invert_matcher":true,"prefix_values":["example"],"regex_values":["example"],"suffix_values":["example"],"transformers":["LOWER_CASE"]},"port_matcher":null,"query_params":[{"check_not_present":{},"check_present":{},"invert_matcher":true,"item":{"exact_values":["example"],"regex_values":["example"],"transformers":["LOWER_CASE"]},"key":"example"}],"request_constraints":{"max_cookie_count_exceeds":1,"max_cookie_count_none":{},"max_cookie_key_size_exceeds":1,"max_cookie_key_size_none":{},"max_cookie_value_size_exceeds":1,"max_cookie_value_size_none":{},"max_header_count_exceeds":1,"max_header_count_none":{},"max_header_key_size_exceeds":1,"max_header_key_size_none":{},"max_header_value_size_exceeds":1,"max_header_value_size_none":{},"max_parameter_count_exceeds":1,"max_parameter_count_none":{},"max_parameter_name_size_exceeds":1,"max_parameter_name_size_none":{},"max_parameter_value_size_exceeds":1,"max_parameter_value_size_none":{},"max_query_size_exceeds":1,"max_query_size_none":{},"max_request_line_size_exceeds":1,"max_request_line_size_none":{},"max_request_size_exceeds":1,"max_request_size_none":{},"max_url_size_exceeds":1,"max_url_size_none":{}},"segment_policy":{"dst_any":{},"dst_segments":{"segments":[{"name":"example","namespace":"example"}]},"intra_segment":{},"src_any":{},"src_segments":{"segments":[{"name":"example","namespace":"example"}]}},"tls_fingerprint_matcher":{"classes":["TLS_FINGERPRINT_NONE"],"exact_values":["example"],"excluded_values":["example"]},"user_identity_matcher":{"exact_values":["example"],"regex_values":["example"]},"waf_action":{"app_firewall_detection_control":{"exclude_attack_type_contexts":[{"context":"CONTEXT_ANY","context_name":"example","exclude_attack_type":"ATTACK_TYPE_NONE"}],"exclude_bot_name_contexts":[{"bot_name":"example"}],"exclude_signature_contexts":[{"context":"CONTEXT_ANY","context_name":"example","signature_id":1}],"exclude_violation_contexts":[{"context":"CONTEXT_ANY","context_name":"example","exclude_violation":"VIOL_NONE"}]},"none":{},"waf_skip_processing":{}}}}]},"server_name":"example","server_name_matcher":{"exact_values":["example"],"regex_values":["example"]},"server_selector":{"expressions":["example"]}}}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request PUT \ --url https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/config/namespaces/example/service_policys/example \ --header 'Authorization: <Authorization>' \ --header 'Content-Type: application/json' \ --data '{ "metadata": { "annotations": {}, "description": "example", "disable": true, "labels": {}, "name": "example", "namespace": "example" }, "spec": { "allow_all_requests": {}, "allow_list": { "asn_list": { "as_numbers": [ 1 ] }, "asn_set": [ { "name": "example", "namespace": "example" } ], "country_list": [ "COUNTRY_NONE" ], "default_action_allow": {}, "default_action_deny": {}, "default_action_next_policy": {}, "ip_prefix_set": [ { "name": "example", "namespace": "example" } ], "prefix_list": { "prefixes": [ "example" ] }, "tls_fingerprint_classes": [ "TLS_FINGERPRINT_NONE" ], "tls_fingerprint_values": [ "example" ] }, "any_server": {}, "deny_all_requests": {}, "deny_list": { "asn_list": { "as_numbers": [ 1 ] }, "asn_set": [ { "name": "example", "namespace": "example" } ], "country_list": [ "COUNTRY_NONE" ], "default_action_allow": {}, "default_action_deny": {}, "default_action_next_policy": {}, "ip_prefix_set": [ { "name": "example", "namespace": "example" } ], "prefix_list": { "prefixes": [ "example" ] }, "tls_fingerprint_classes": [ "TLS_FINGERPRINT_NONE" ], "tls_fingerprint_values": [ "example" ] }, "legacy_rule_list": { "rules": [ { "name": "example", "namespace": "example" } ] }, "rule_list": { "rules": [ { "metadata": { "description": "example", "name": "example" }, "spec": { "action": "DENY", "any_asn": {}, "any_client": {}, "any_ip": {}, "api_group_matcher": { "invert_matcher": true, "match": [ "example" ] }, "arg_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "asn_list": { "as_numbers": [ 1 ] }, "asn_matcher": { "asn_sets": [ { "name": "example", "namespace": "example" } ] }, "body_matcher": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "bot_action": { "bot_skip_processing": {}, "none": {} }, "client_name": "example", "client_name_matcher": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "client_selector": { "expressions": [ "example" ] }, "cookie_matchers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "domain_matcher": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "expiration_timestamp": "2026-04-15T12:00:00Z", "headers": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "http_method": { "invert_matcher": true, "methods": [ "ANY" ] }, "ip_matcher": { "invert_matcher": true, "prefix_sets": [ { "name": "example", "namespace": "example" } ] }, "ip_prefix_list": { "invert_match": true, "ip_prefixes": [ "example" ] }, "ip_threat_category_list": { "ip_threat_categories": [ "SPAM_SOURCES" ] }, "ja4_tls_fingerprint": { "exact_values": [ "example" ] }, "jwt_claims": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "name": "example" } ], "label_matcher": { "keys": [ "example" ] }, "mum_action": { "default": {}, "skip_processing": {} }, "path": { "exact_values": [ "example" ], "invert_matcher": true, "prefix_values": [ "example" ], "regex_values": [ "example" ], "suffix_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "port_matcher": null, "query_params": [ { "check_not_present": {}, "check_present": {}, "invert_matcher": true, "item": { "exact_values": [ "example" ], "regex_values": [ "example" ], "transformers": [ "LOWER_CASE" ] }, "key": "example" } ], "request_constraints": { "max_cookie_count_exceeds": 1, "max_cookie_count_none": {}, "max_cookie_key_size_exceeds": 1, "max_cookie_key_size_none": {}, "max_cookie_value_size_exceeds": 1, "max_cookie_value_size_none": {}, "max_header_count_exceeds": 1, "max_header_count_none": {}, "max_header_key_size_exceeds": 1, "max_header_key_size_none": {}, "max_header_value_size_exceeds": 1, "max_header_value_size_none": {}, "max_parameter_count_exceeds": 1, "max_parameter_count_none": {}, "max_parameter_name_size_exceeds": 1, "max_parameter_name_size_none": {}, "max_parameter_value_size_exceeds": 1, "max_parameter_value_size_none": {}, "max_query_size_exceeds": 1, "max_query_size_none": {}, "max_request_line_size_exceeds": 1, "max_request_line_size_none": {}, "max_request_size_exceeds": 1, "max_request_size_none": {}, "max_url_size_exceeds": 1, "max_url_size_none": {} }, "segment_policy": { "dst_any": {}, "dst_segments": { "segments": [ { "name": "example", "namespace": "example" } ] }, "intra_segment": {}, "src_any": {}, "src_segments": { "segments": [ { "name": "example", "namespace": "example" } ] } }, "tls_fingerprint_matcher": { "classes": [ "TLS_FINGERPRINT_NONE" ], "exact_values": [ "example" ], "excluded_values": [ "example" ] }, "user_identity_matcher": { "exact_values": [ "example" ], "regex_values": [ "example" ] }, "waf_action": { "app_firewall_detection_control": { "exclude_attack_type_contexts": [ { "context": "CONTEXT_ANY", "context_name": "example", "exclude_attack_type": "ATTACK_TYPE_NONE" } ], "exclude_bot_name_contexts": [ { "bot_name": "example" } ], "exclude_signature_contexts": [ { "context": "CONTEXT_ANY", "context_name": "example", "signature_id": 1 } ], "exclude_violation_contexts": [ { "context": "CONTEXT_ANY", "context_name": "example", "exclude_violation": "VIOL_NONE" } ] }, "none": {}, "waf_skip_processing": {} } } } ] }, "server_name": "example", "server_name_matcher": { "exact_values": [ "example" ], "regex_values": [ "example" ] }, "server_selector": { "expressions": [ "example" ] } } }'Replace service_policy replaces an existing object in the storage backend for metadata.namespace.
Authorizations
Section titled “Authorizations”Parameters
Section titled “Parameters”Path Parameters
Section titled “Path Parameters”Namespace This defines the workspace within which each the configuration object is to be created. Must be a DNS_LABEL format. For a namespace object itself, namespace value will be ""
Name The configuration object to be replaced will be looked up by name.
Request Bodyrequired
Section titled “Request Bodyrequired”This is the input message of the ‘Replace’ RPC.
object
object
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects.
object
Human readable description for the object.
A value of true will administratively disable the object.
Map of string keys and values that can be used to organize and categorize (scope and select) objects as chosen by the user. Values specified here will be used by selector expression.
object
This is the name of configuration object. It has to be unique within the namespace. It can only be specified during create API and cannot be changed during replace API. The value of name has to follow DNS-1035 format. Required: YES.
This defines the workspace within which each the configuration object is to be created. Must be a DNS_LABEL format. For a namespace object itself, namespace value will be ""
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
Addresses that belong to the ASNs in the given bgp_asn_set The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Addresses that belong to one of the countries in the given list The country is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.
object
object
object
Addresses that are covered by the prefixes in the given ip_prefix_set.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
List of IPv4 prefixes that represent an endpoint.
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
object
object
object
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
Addresses that belong to the ASNs in the given bgp_asn_set The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
Addresses that belong to one of the countries in the given list The country is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB.
object
object
object
Addresses that are covered by the prefixes in the given ip_prefix_set.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
List of IPv4 prefixes that represent an endpoint.
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
object
A list of references to service_policy_rule objects. The order of evaluation of the rules depends on the rule combining algorithm.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Define the list of rules (with an order) that should be evaluated by this service policy. Rules are evaluated from top to bottom in the list.
A Rule consists of an unordered list of predicates and an action. The predicates are evaluated against a set of input fields that are extracted from or derived from an L7 request API. A request API is considered to match the simple rule if all predicates in the rule evaluate to true for that request. Any predicates that are not specified in a rule are implicitly considered to be true. If a request API matches a simple rule, the action for the simple rule is enforced.
object
object
Human readable description.
This is the name of the message. The value of name has to follow DNS-1035 format. Required: YES.
object
object
object
object
object
Invert the match result.
A list of exact values to match the input against. Required: YES.
A list of predicates for all POST args that need to be matched. The criteria for matching each arg are described in individual instances of ArgMatcherType. The actual arg values are extracted from the request API as a list of strings for each arg selector name. Note that all specified arg matcher predicates must evaluate to true.
A argument matcher specifies the name of a single argument in the body and the criteria to match it. A argument matcher can check for one of the following:
- Presence or absence of the argument
- At least one of the values for the argument in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive JSON path in the HTTP request body. Required: YES.
object
An unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer. Required: YES.
object
A list of references to bgp_asn_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
object
object
object
Exclusive with [any_client client_name_matcher client_selector ip_threat_category_list] The expected name of the client invoking the request API. The predicate evaluates to true if any of the actual names is the same as the expected client name.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
A list of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name. Note that all specified cookie matcher predicates must evaluate to true.
A cookie matcher specifies the name of a single cookie and the criteria to match it. The input has a list of values for each cookie in the request. A cookie matcher can check for one of the following:
- Presence or absence of the cookie
- At least one of the values for the cookie in the request satisfies the MatcherType item.
object
object
object
Invert Match of the expression defined.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive cookie name. Required: YES.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
The expiration_timestamp is the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore.
A list of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type. Note that all specified header predicates must evaluate to true.
A header matcher specifies the name of a single HTTP header and the criteria for the input request to match it. The input has a list of actual values for each header name in the original HTTP request. A header matcher can check for one of the following:
- Presence or absence of the header in the input
- At least one of the values for the header in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-insensitive HTTP header name. Required: YES.
object
Invert the match result.
List of methods values to match against.
object
Invert the match result.
A list of references to ip_prefix_set objects.
Required: YES.
This type establishes a ‘direct reference’ from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name for public API and Uid for private API This type of reference is called direct because the relation is explicit and concrete (as opposed to selector reference which builds a group based on labels of selectee objects)
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. “route”)
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid.
object
Invert the match result.
List of IPv4 prefix strings.
object
The IP threat categories is obtained from the list and is used to auto-generate equivalent label selection expressions
Required: YES.
object
A list of exact JA4 TLS fingerprint to match the input JA4 TLS fingerprint against.
A list of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings. Note that all specified JWT claim predicates must evaluate to true.
A JWT claim matcher specifies the name of a single JWT claim and the criteria for the input request to match it. The input has a list of actual values for each JWT claim name in the JWT payload. A JWT claim matcher can check for one of the following:
- Presence or absence of the JWT Claim in the input
- At least one of the values for the JWT Claim in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
JWT claim name. Required: YES.
object
The list of label key names that have to match.
object
object
object
object
A list of exact path values to match the input HTTP path against.
Invert the match result.
A list of path prefix values to match the input HTTP path against.
A list of regular expressions to match the input HTTP path against.
A list of path suffix values to match the input HTTP path against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
object
Invert the match result.
A list of strings, each of which is a single port value or a tuple of start and end port values separated by ”-”. The start and end values are considered to be part of the range. Required: YES.
A list of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query parameter name. Note that all specified query parameter predicates must evaluate to true.
A query parameter matcher specifies the name of a single query parameter and the criteria for the input request to match it. The input has a list of actual values for each query parameter name in the original HTTP request. A query parameter matcher can check for one of the following:
- Presence or absence of the query parameter in the input
- At least one of the values for the query parameter in the input satisfies the MatcherType item.
object
object
object
Invert the match result.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
An ordered list of transformers (starting from index 0) to be applied to the path before matching.
A case-sensitive HTTP query parameter name. Required: YES.
object
Exclusive with [max_cookie_count_none]
object
Exclusive with [max_cookie_key_size_none]
object
Exclusive with [max_cookie_value_size_none]
object
Exclusive with [max_header_count_none]
object
Exclusive with [max_header_key_size_none]
object
Exclusive with [max_header_value_size_none]
object
Exclusive with [max_parameter_count_none]
object
Exclusive with [max_parameter_name_size_none]
object
Exclusive with [max_parameter_value_size_none]
object
Exclusive with [max_query_size_none]
object
Exclusive with [max_request_line_size_none]
object
Exclusive with [max_request_size_none]
object
Exclusive with [max_url_size_none]
object
object
object
object
X-displayName: “Segments” x-required Select list of segments.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
object
object
X-displayName: “Segments” x-required Select list of segments.
This type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name.
object
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name. Required: YES.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace.
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant.
object
A list of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against.
A list of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against.
A list of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
object
object
Attack Types to be excluded for the defined match criteria.
App Firewall Attack Type context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
Bot Names to be excluded for the defined match criteria.
Specifies bot to be excluded by its name.
object
Required: YES.
Signature IDs to be excluded for the defined match criteria.
App Firewall signature context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
The allowed values for signature ID are 0 and in the range of 200000001-299999999. 0 implies that all signatures will be excluded for the specified context. Required: YES.
Violations to be excluded for the defined match criteria.
App Firewall violation context changes to be applied for this request.
object
Relevant only for contexts: Header, Cookie and Parameter. Name of the Context that the WAF Exclusion Rules will check. Wildcard matching can be used by prefixing or suffixing the context name with an wildcard asterisk (*).
object
object
Exclusive with [any_server server_name_matcher server_selector] The expected name of the server to which the request API is directed. The actual names for the server are extracted from the HTTP Host header and the name of the virtual_host to which the request is directed. If the request is directed to a virtual K8s service, the actual names also contain the name of that service. The predicate evaluates to true if any of the actual names is the same as the expected server name.
object
A list of exact values to match the input against.
A list of regular expressions to match the input against.
object
Expressions contains the Kubernetes style label expression for selections. Required: YES.
Responses
Section titled “Responses”A successful response.
object
Examplegenerated
{}Returned when operation is not authorized.
Examplegenerated
exampleReturned when there is no permission to access resource.
Examplegenerated
exampleReturned when resource is not found.
Examplegenerated
exampleReturned when operation on resource is conflicting with current value.
Examplegenerated
exampleReturned when operation has been rejected as it is happening too frequently.
Examplegenerated
exampleReturned when server encountered an error in processing API.
Examplegenerated
exampleReturned when service is unavailable temporarily.
Examplegenerated
exampleReturned when server timed out processing request.
Examplegenerated
example