firewall#

The following methods allow for interaction with the ZIA Firewall Policies API endpoints.

Methods are accessible via zia.firewall

class FirewallPolicyAPI#

Bases: object

add_ip_destination_group(name, **kwargs)#

Adds a new IP Destination Group.

Parameters:

  • name (str) – The name of the IP Destination Group.

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • type (str) – Destination IP group type. Allowed values are DSTN_IP and DSTN_FQDN.

  • addresses (list) – Destination IP addresses or FQDNs within the group.

  • description (str) – Additional information about the destination IP group.

  • ip_categories (list) – Destination IP address URL categories.

  • countries (list) – Destination IP address counties.

Returns:

The newly created IP Destination Group resource record.

Return type:

Box

Examples

Add a Destination IP Group with IP addresses:

>>> zia.firewall.add_ip_destination_group(name='Destination Group - IP',
...    addresses=['203.0.113.0/25', '203.0.113.131'],
...    type='DSTN_IP')

Add a Destination IP Group with FQDN:

>>> zia.firewall.add_ip_destination_group(name='Destination Group - FQDN',
...    description='Covers domains for Example Inc.',
...    addresses=['example.com', 'example.edu'],
...    type='DSTN_FQDN')

Add a Destionation IP Group for the US:

>>> zia.firewall.add_ip_destination_group(name='Destination Group - US',
...    description='Covers the US',
...    countries=['COUNTRY_US'])
add_ip_source_group(name, ip_addresses, description=None)#

Adds a new IP Source Group.

Parameters:

  • name (str) – The name of the IP Source Group.

  • ip_addresses (str) – The list of IP addresses for the IP Source Group.

  • description (str) – Additional information for the IP Source Group.

Returns:

The new IP Source Group resource record.

Return type:

Box

Examples

Add a new IP Source Group:

>>> zia.firewall.add_ip_source_group(name='My IP Source Group',
...    ip_addresses=['198.51.100.0/24', '192.0.2.1'],
...    description='Contains the IP addresses for the local network.')
add_network_app_group(name, network_applications, description=None)#

Adds a new Network Application Group.

Parameters:

  • name (str) – The name of the Network Application Group.

  • description (str) – Additional information about the Network Application Group.

  • network_applications (list) – A list of Application IDs to add to the group.

Returns:

The newly created Network Application Group resource record.

Return type:

Box

Examples

Add a new Network Application Group:

>>> zia.firewall.add_network_app_group(name='New Network Application Group',
...    network_applications=['SALESFORCE', 'GOOGLEANALYTICS', 'OFFICE365'],
...    description='Additional information about the Network Application Group.')
add_network_service(name, ports=None, **kwargs)#

Adds a new Network Service.

Parameters:

  • name – The name of the Network Service

  • ports (list) –

    A list of port protocol tuples. Tuples must follow the convention src/dest, protocol, start port, end port. If this is a single port and not a port range then end port can be omitted. E.g.

    ('src', 'tcp', '49152', '65535'),
('dest', 'tcp', '22),
('dest', 'tcp', '9010', '9012'),
('dest', 'udp', '9010', '9012')

  • **kwargs – Optional keyword args.

Keyword Arguments:

description (str) – Additional information on the Network Service.

Returns:

The newly created Network Service resource record.

Return type:

Box

Examples

Add Network Service for Microsoft Exchange:

>>> zia.firewall.add_network_service('MS LDAP',
...    description='Covers all ports used by MS LDAP',
...    ports=[
...        ('dest', 'tcp', '389'),
...        ('dest', 'udp', '389'),
...        ('dest', 'tcp', '636'),
...        ('dest', 'tcp', '3268', '3269')])

Add Network Service designed to match inbound SSH traffic:

>>> zia.firewall.add_network_service('Inbound SSH',
...    description='Inbound SSH',
...    ports=[
...        ('src', 'tcp', '22'),
...        ('dest', 'tcp', '1024', '65535')])
add_network_svc_group(name, service_ids, description=None)#

Adds a new Network Service Group.

Parameters:

  • name (str) – The name of the Network Service Group.

  • service_ids (list) – A list of Network Service IDs to add to the group.

  • description (str) – Additional information about the Network Service Group.

Returns:

The newly created Network Service Group resource record.

Return type:

Box

Examples

Add a new Network Service Group:

>>> zia.firewall.add_network_svc_group(name='New Network Service Group',
...    service_ids=['159143', '159144', '159145'],
...    description='Group for the new Network Service.')
add_rule(name, action, **kwargs)#

Adds a new firewall filter rule.

Parameters:

  • name (str) – Name of the rule, max 31 chars.

  • action (str) – Action for the rule.

  • device_trust_levels (list) – Device trust levels for the rule application. Values: ANY, UNKNOWN_DEVICETRUSTLEVEL, LOW_TRUST, MEDIUM_TRUST, HIGH_TRUST.

Keyword Arguments:

  • order (str) – Rule order, defaults to the bottom.

  • rank (str) – Admin rank of the rule.

  • state (str) – Rule state (‘ENABLED’ or ‘DISABLED’).

  • description (str) – Rule description.

  • src_ips (list) – Source IPs for the rule. Accepts IP addresses or CIDR.

  • dest_addresses (list) – Destination IPs for the rule. Accepts IP addresses or CIDR.

  • dest_ip_categories (list) – IP address categories for the rule.

  • dest_countries (list) – Destination countries for the rule.

  • enable_full_logging (bool) – If True, enables full logging.

  • nw_applications (list) – Network service applications for the rule.

  • app_services (list) – IDs for application services for the rule.

  • app_service_groups (list) – IDs for app service groups.

  • departments (list) – IDs for departments the rule applies to.

  • dest_ip_groups (list) – IDs for destination IP groups.

  • devices (list) – IDs for devices managed by Zscaler Client Connector.

  • device_groups (list) – IDs for device groups managed by Zscaler Client Connector.

  • groups (list) – IDs for groups the rule applies to.

  • labels (list) – IDs for labels the rule applies to.

  • locations (list) – IDs for locations the rule applies to.

  • location_groups (list) – IDs for location groups.

  • nw_application_groups (list) – IDs for network application groups.

  • nw_services (list) – IDs for network services the rule applies to.

  • nw_service_groups (list) – IDs for network service groups.

  • time_windows (list) – IDs for time windows the rule applies to.

  • users (list) – IDs for users the rule applies to.

Returns:

New firewall filter rule resource record.

Return type:

Box

Examples

Add a rule to allow all traffic to Google DNS:

>>> zia.firewall.add_rule(rank='7', dest_addresses=['8.8.8.8', '8.8.4.4'],
...    name='ALLOW_ANY_TO_GOOG-DNS', action='ALLOW', description='TT#1965432122')

Block traffic to Quad9 DNS for Finance Group, send ICMP error:

>>> zia.firewall.add_rule(rank='7', dest_addresses=['9.9.9.9'],
...    name='BLOCK_GROUP-FIN_TO_Q9-DNS', action='BLOCK_ICMP', groups=['95016183'],
...    description='TT#1965432122')
delete_ip_destination_group(group_id)#

Deletes the specified IP Destination Group.

Parameters:

group_id (str) – The unique ID of the IP Destination Group.

Returns:

The status code of the operation.

Return type:

int

Examples

>>> zia.firewall.delete_ip_destination_group('287342')
delete_ip_source_group(group_id)#

Deletes an IP Source Group.

Parameters:

group_id (str) – The unique ID of the IP Source Group to be deleted.

Returns:

The status code for the operation.

Return type:

int

Examples

>>> zia.firewall.delete_ip_source_group('762398')
delete_network_app_group(group_id)#

Deletes the specified Network Application Group.

Parameters:

group_id (str) – The unique identifier for the Network Application Group.

Returns:

The response code for the operation.

Return type:

int

Examples

>>> zia.firewall.delete_network_app_group('762398')
delete_network_service(service_id)#

Deletes the specified Network Service.

Parameters:

service_id (str) – The unique ID for the Network Service.

Returns:

The status code for the operation.

Return type:

int

Examples

>>> zia.firewall.delete_network_service('762398')
delete_network_svc_group(group_id)#

Deletes the specified Network Service Group.

Parameters:

group_id (str) – The unique identifier for the Network Service Group.

Returns:

The response code for the operation.

Return type:

int

Examples

>>> zia.firewall.delete_network_svc_group('762398')
delete_rule(rule_id)#

Deletes the specified firewall filter rule.

Parameters:

rule_id (str) – The unique identifier for the firewall filter rule.

Returns:

The status code for the operation.

Return type:

int

Examples

>>> zia.firewall.delete_rule('278454')
get_ip_destination_group(group_id)#

Returns information on the specified IP Destination Group.

Parameters:

group_id (str) – The unique ID of the IP Destination Group.

Returns:

The IP Destination Group resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_ip_destination_group('287342'))
get_ip_source_group(group_id)#

Returns information for the specified IP Source Group.

Parameters:

group_id (str) – The unique ID of the IP Source Group.

Returns:

The IP Source Group resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_ip_source_group('762398')
get_network_app(app_id)#

Returns information for the specified Network Application.

Parameters:

app_id (str) – The unique ID for the Network Application.

Returns:

The Network Application resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_network_app('762398'))
get_network_app_group(group_id)#

Returns information for the specified Network Application Group.

Parameters:

group_id (str) – The unique ID for the Network Application Group.

Returns:

The Network Application Group resource record.

Return type:

Box

get_network_service(service_id)#

Returns information for the specified Network Service.

Parameters:

service_id (str) – The unique ID for the Network Service.

Returns:

The Network Service resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_network_service('762398'))
get_network_svc_group(group_id)#

Returns information for the specified Network Service Group.

Parameters:

group_id (str) – The unique ID for the Network Service Group.

Returns:

The Network Service Group resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_network_svc_group('762398'))
get_rule(rule_id)#

Returns information for the specified firewall filter rule.

Parameters:

rule_id (str) – The unique identifier for the firewall filter rule.

Returns:

The resource record for the firewall filter rule.

Return type:

Box

Examples

>>> pprint(zia.firewall.get_rule('431233'))
list_ip_destination_groups(exclude_type=None)#

Returns a list of IP Destination Groups.

Parameters:

exclude_type (str) – Exclude all groups that match the specified IP destination group’s type. Accepted values are: DSTN_IP, DSTN_FQDN, DSTN_DOMAIN and DSTN_OTHER.

Returns:

List of IP Destination Group records.

Return type:

BoxList

Examples

>>> for group in zia.firewall.list_ip_destination_groups():
...    pprint(group)
list_ip_source_groups(search=None)#

Returns a list of IP Source Groups.

Parameters:

search (str) – The search string used to match against a group’s name or description attributes.

Returns:

List of IP Source Group records.

Return type:

BoxList

Examples

List all IP Source Groups:

>>> for group in zia.firewall.list_ip_source_groups():
...    pprint(group)

Use search parameter to find IP Source Groups with fiji in the name:

>>> for group in zia.firewall.list_ip_source_groups('fiji'):
...    pprint(group)
list_network_app_groups(search=None)#

Returns a list of all Network Application Groups.

Returns:

The list of Network Application Group resource records.

Return type:

BoxList

Examples

>>> for group in zia.firewall.list_network_app_groups():
...    pprint(group)
list_network_apps(search=None)#

Returns a list of all predefined Network Applications.

Parameters:

search (str) – The search string used to match against a network application’s description attribute.

Returns:

The list of Network Application resource records.

Return type:

BoxList

Examples

>>> for app in zia.firewall.list_network_apps():
...    pprint(app)
list_network_services(search=None, protocol=None)#

Returns a list of all Network Services.

The search parameters find matching values within the “name” or “description” attributes.

Parameters:

  • search (str) – The search string used to match against a service’s name or description attributes.

  • protocol (str) – Filter based on the network service protocol. Accepted values are ICMP, TCP, UDP, GRE, ESP and OTHER.

Returns:

The list of Network Service resource records.

Return type:

BoxList

Examples

>>> for service in zia.firewall.list_network_services():
...    pprint(service)
list_network_svc_groups(search=None)#

Returns a list of Network Service Groups.

Parameters:

search (str) – The search string used to match against a group’s name or description attributes.

Returns:

List of Network Service Group resource records.

Return type:

BoxList

Examples

>>> for group in zia.firewall.list_network_svc_groups():
...    pprint(group)
list_rules()#

Returns a list of all firewall filter rules.

Returns:

The list of firewall filter rules

Return type:

BoxList

Examples

>>> for rule in zia.firewall.list_rules():
...    pprint(rule)
list_time_windows()#

Returns a list of time intervals used for by the Firewall policy or the URL Filtering policy.

Parameters:

  • id (int) – The unique id for the Time Interval.

  • name (str) – The name of the Time Interval.

Returns:

The ZIA Time Interval resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.list_time_windows_lite)
list_time_windows_lite()#

Returns name and ID dictionary of time intervals used by the Firewall policy or the URL Filtering policy.

Parameters:

  • id (int) – The unique id for the Time Interval.

  • name (str) – The name of the Time Interval.

Returns:

The ZIA Time Interval resource record.

Return type:

Box

Examples

>>> pprint(zia.firewall.list_time_windows_lite)
reformat_params = [('app_services', 'appServices'), ('app_service_groups', 'appServiceGroups'), ('departments', 'departments'), ('devices', 'devices'), ('device_groups', 'deviceGroups'), ('dest_ip_groups', 'destIpGroups'), ('dest_ipv6_groups', 'destIpv6Groups'), ('groups', 'groups'), ('labels', 'labels'), ('locations', 'locations'), ('location_groups', 'locationGroups'), ('nw_application_groups', 'nwApplicationGroups'), ('nw_service_groups', 'nwServiceGroups'), ('src_ip_groups', 'srcIpGroups'), ('src_ipv6_groups', 'srcIpv6Groups'), ('time_windows', 'timeWindows'), ('users', 'users')]#
update_ip_destination_group(group_id, **kwargs)#

Updates the specified IP Destination Group.

Parameters:

  • group_id (str) – The unique ID of the IP Destination Group.

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • name (str) – The name of the IP Destination Group.

  • addresses (list) – Destination IP addresses or FQDNs within the group.

  • description (str) – Additional information about the IP Destination Group.

  • ip_categories (list) – Destination IP address URL categories.

  • countries (list) – Destination IP address countries.

Returns:

The updated IP Destination Group resource record.

Return type:

Box

Examples

Update the name of an IP Destination Group:

>>> zia.firewall.update_ip_destination_group('9032667',
...    name="Updated IP Destination Group")

Update the description and FQDNs for an IP Destination Group:

>>> zia.firewall.update_ip_destination_group('9032668',
...    description="Tech News",
...    addresses=['arstechnica.com', 'slashdot.org'])
update_ip_source_group(group_id, **kwargs)#

Update an IP Source Group.

This method supports updating individual fields in the IP Source Group resource record.

Parameters:

  • group_id (str) – The unique ID for the IP Source Group to update.

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • name (str) – The name of the IP Source Group.

  • ip_addresses (list) – The list of IP addresses for the IP Source Group.

  • description (str) – Additional information for the IP Source Group.

Returns:

The updated IP Source Group resource record.

Return type:

Box

Examples

Update the name of an IP Source Group:

>>> zia.firewall.update_ip_source_group('9032674',
...    name='Updated Name')

Update the description and IP addresses of an IP Source Group:

>>> zia.firewall.update_ip_source_group('9032674',
...    description='Local subnets, updated on 3 JUL 21'
...    ip_addresses=['192.0.2.0/29', '192.0.2.8/29', '192.0.2.128/25'])
update_network_app_group(group_id, **kwargs)#

Update an Network Application Group.

This method supports updating individual fields in the Network Application Group resource record.

Parameters:

  • group_id (str) – The unique ID for the Network Application Group to update.

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • name (str) – The name of the Network Application Group.

  • network_applications (list) – The list of applications for the Network Application Group.

  • description (str) – Additional information for the Network Application Group.

Returns:

The updated Network Application Group resource record.

Return type:

Box

Examples

Update the name of an Network Application Group:

>>> zia.firewall.update_network_app_group('9032674',
...    name='Updated Network Application Group Name')

Update the description and applications for a Network Application Group:

>>> zia.firewall.update_network_app_group('9032674',
...    description='Network Application Group, updated on May 27, 2023'
...    network_applications=['SALESFORCE', 'GOOGLEANALYTICS', 'OFFICE365'])
update_network_service(service_id, ports=None, **kwargs)#

Updates the specified Network Service.

If ports aren’t provided then no changes will be made to the ports already defined. If ports are provided then the existing ports will be overwritten.

Parameters:

  • service_id (str) – The unique ID for the Network Service.

  • ports (list) –

    A list of port protocol tuples. Tuples must follow the convention src/dest, protocol, start port, end port. If this is a single port and not a port range then end port can be omitted. E.g.

    ('src', 'tcp', '49152', '65535'),
('dest', 'tcp', '22),
('dest', 'tcp', '9010', '9012'),
('dest', 'udp', '9010', '9012')

  • **kwargs – Optional keyword args.

Keyword Arguments:

description (str) – Additional information on the Network Service.

Returns:

The newly created Network Service resource record.

Return type:

Box

Examples

Update the name and description for a Network Service:

>>> zia.firewall.update_network_service('959093',
...    name='MS Exchange',
...    description='All ports related to the MS Exchange service.')

Updates the ports for a Network Service, leaving other fields intact:

>>> zia.firewall.add_network_service('959093',
...    ports=[
...        ('dest', 'tcp', '500', '510')])
update_network_svc_group(group_id, **kwargs)#

Update a Network Service Group.

Parameters:

  • group_id (str) – The unique ID of the Network Service Group.

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • name (str) – The name of the Network Service Group.

  • service_ids (list) – A list of Network Service IDs to add to the group.

  • description (str) – Additional information about the Network Service Group.

Returns:

The updated Network Service Group resource record.

Return type:

Box

Examples

Update the name Network Service Group:

>>> zia.firewall.update_network_svc_group(name='Update Network Service Group',
...    service_ids=['159143', '159144', '159145'],
...    description='Group for the new Network Service.')
update_rule(rule_id, **kwargs)#

Updates an existing firewall filter rule.

Parameters:

  • rule_id (str) – The unique ID for the rule that is being updated.

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • order (str) – The order of the rule, defaults to adding rule to bottom of list.

  • rank (str) – The admin rank of the rule.

  • state (str) – The rule state. Accepted values are ‘ENABLED’ or ‘DISABLED’.

  • description (str) – Additional information about the rule

  • src_ips (list) – The source IPs that this rule applies to. Individual IP addresses or CIDR ranges accepted.

  • dest_addresses (list) – The destination IP addresses that this rule applies to. Individual IP addresses or

  • accepted. (CIDR ranges) –

  • dest_ip_categories (list) – The IP address categories that this rule applies to.

  • dest_countries (list) – The destination countries that this rule applies to.

  • enable_full_logging (bool) – Enables full logging if True.

  • nw_applications (list) – The network service applications that this rule applies to.

  • app_services (list) – The IDs for the application services that this rule applies to.

  • app_service_groups (list) – The IDs for the application service groups that this rule applies to.

  • departments (list) – The IDs for the departments that this rule applies to.

  • dest_ip_groups (list) – The IDs for the destination IP groups that this rule applies to.

  • groups (list) – The IDs for the groups that this rule applies to.

  • labels (list) – The IDs for the labels that this rule applies to.

  • locations (list) – The IDs for the locations that this rule applies to.

  • location_groups (list) – The IDs for the location groups that this rule applies to.

  • nw_application_groups (list) – The IDs for the network application groups that this rule applies to.

  • nw_services (list) – The IDs for the network services that this rule applies to.

  • nw_service_groups (list) – The IDs for the network service groups that this rule applies to.

  • time_windows (list) – The IDs for the time windows that this rule applies to.

  • users (list) – The IDs for the users that this rule applies to.

Returns:

The updated firewall filter rule resource record.

Return type:

Box

Examples

Update the destination IP addresses for a rule:

>>> zia.firewall.update_rule('976598',
...    dest_addresses=['1.1.1.1'],
...    description="TT#1965232865")

Update a rule to enable full logging:

>>> zia.firewall.update_rule('976597',
...    enable_full_logging=True,
...    description="TT#1965232866")