policies

The following methods allow for interaction with the ZPA Policy Sets API endpoints.

Methods are accessible via zpa.policies

class PolicySetsAPI

Bases: object

POLICY_MAP = {'access': 'ACCESS_POLICY', 'client_forwarding': 'CLIENT_FORWARDING_POLICY', 'inspection': 'INSPECTION_POLICY', 'isolation': 'ISOLATION_POLICY', 'siem': 'SIEM_POLICY', 'timeout': 'TIMEOUT_POLICY'}

add_access_rule(name, action, app_connector_group_ids=[], app_server_group_ids=[], **kwargs)

Add a new Access Policy rule.

See the ZPA Access Policy API reference for further detail on optional keyword parameter structures.

Parameters:

• name (str) – The name of the new rule.

• action (str) –

  The action for the policy. Accepted values are:

  allow

  deny

• **kwargs – Optional keyword args.

Keyword Arguments:

• conditions (list) –

  A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.

  [('app', 'id', '99999'),
  ('app', 'id', '88888'),
  ('app_group', 'id', '77777),
  ('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'),
  ('trusted_network', 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx', True)]
  

• custom_msg (str) – A custom message.

• description (str) – A description for the rule.

• app_connector_group_ids (list of str) – A list of application connector IDs that will be attached to the access policy rule.

• app_server_group_ids (list of str) – A list of application server group IDs that will be attached to the access policy rule.

Returns:

The resource record of the newly created access policy rule.

Return type:

Box

add_app_protection_rule(name, action, zpn_inspection_profile_id, **kwargs)

Add a new AppProtection Policy rule.

See the ZPA AppProtection Policy API reference for further detail on optional keyword parameter structures.

Parameters:

• name (str) – The name of the new rule.

• action (str) –

  The action for the policy. Accepted values are:

  inspect

  bypass_inspect

• **kwargs – Optional keyword args.

Keyword Arguments:

• conditions (list) –

  A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.

  [('app', 'id', '926196382959075416'),
  ('app', 'id', '926196382959075417'),
  ('app_group', 'id', '926196382959075332),
  ('client_type', 'zpn_client_type_exporter')]
  

• zpn_inspection_profile_id (str) – The AppProtection profile ID associated with the rule

• description (str) – A description for the rule.

Returns:

The resource record of the newly created Client Inspection Policy rule.

Return type:

Box

add_client_forwarding_rule(name, action, **kwargs)

Add a new Client Forwarding Policy rule.

See the ZPA Client Forwarding Policy API reference for further detail on optional keyword parameter structures.

Parameters:

• name (str) – The name of the new rule.

• action (str) –

  The action for the policy. Accepted values are:

  intercept

  intercept_accessible

  bypass

• **kwargs – Optional keyword args.

Keyword Arguments:

• conditions (list) –

  A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.

  [('app', 'id', '926196382959075416'),
  ('app', 'id', '926196382959075417'),
  ('app_group', 'id', '926196382959075332),
  ('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'),
  ('trusted_network', 'b15e4cad-fa6e-8182-9fc3-8125ee6a65e1', True)]
  

• custom_msg (str) – A custom message.

• description (str) – A description for the rule.

Returns:

The resource record of the newly created Client Forwarding Policy rule.

Return type:

Box

add_isolation_rule(name, action, zpn_isolation_profile_id, **kwargs)

Add a new Isolation Policy rule.

See the ZPA Isolation Policy API reference for further detail on optional keyword parameter structures.

Parameters:

• name (str) – The name of the new rule.

• action (str) –

  The action for the policy. Accepted values are:

  isolate

  bypass_isolate

• **kwargs – Optional keyword args.

Keyword Arguments:

• conditions (list) –

  A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.

  [('app', 'id', '926196382959075416'),
  ('app', 'id', '926196382959075417'),
  ('app_group', 'id', '926196382959075332),
  ('client_type', 'zpn_client_type_exporter')]
  

• zpn_isolation_profile_id (str) – The isolation profile ID associated with the rule

• description (str) – A description for the rule.

Returns:

The resource record of the newly created Client Isolation Policy rule.

Return type:

Box

add_timeout_rule(name, **kwargs)

Add a new Timeout Policy rule.

See the ZPA Timeout Policy API reference for further detail on optional keyword parameter structures.

Parameters:

• name (str) – The name of the new rule.

• **kwargs – Optional parameters.

Keyword Arguments:

• conditions (list) –

  A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.

  [('app', 'id', '926196382959075416'),
  ('app', 'id', '926196382959075417'),
  ('app_group', 'id', '926196382959075332),
  ('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'),
  ('trusted_network', 'b15e4cad-fa6e-8182-9fc3-8125ee6a65e1', True)]
  

• custom_msg (str) – A custom message.

• description (str) – A description for the rule.

• re_auth_idle_timeout (int) – The re-authentication idle timeout value in seconds.

• re_auth_timeout (int) – The re-authentication timeout value in seconds.

Returns:

The resource record of the newly created Timeout Policy rule.

Return type:

Box

bulk_reorder_rules(policy_type, rules_orders)

Bulk change the order of policy rules.

Parameters:

• rules_orders (dict(rule_id=>order)) – A map of rule IDs and orders

• policy_type (str) –

  The policy type. Accepted values are:

  access

  timeout

  client_forwarding

delete_rule(policy_type, rule_id)

Deletes the specified policy rule.

Parameters:

• policy_type (str) –

  The type of policy the rule belongs to. Accepted values are:

  access

  timeout

  client_forwarding

  siem

• rule_id (str) – The unique identifier for the policy rule.

Returns:

The response code for the operation.

Return type:

int

Examples

>>> zpa.policies.delete_rule(policy_id='99999',
...    rule_id='88888')

get_policy(policy_type)

Returns the policy and rule sets for the given policy type.

Parameters:

policy_type (str) –

The type of policy to be returned. Accepted values are:

access - returns the Access Policy

timeout - returns the Timeout Policy

client_forwarding - returns the Client Forwarding Policy

isolation - returns the Isolation Policy

inspection - returns the Inspection Policy

siem - returns the SIEM Policy

Returns:

The resource record of the specified policy type.

Return type:

Box

Examples

Request the specified Policy.

>>> pprint(zpa.policies.get_policy('access'))

get_rule(policy_type, rule_id)

Returns the specified policy rule.

Parameters:

• policy_type (str) –

  The type of policy to be returned. Accepted values are:

  access

  timeout

  client_forwarding

  siem

• rule_id (str) – The unique identifier for the policy rule.

Returns:

The resource record for the requested rule.

Return type:

Box

Examples

>>> policy_rule = zpa.policies.get_rule(policy_id='99999',
...    rule_id='88888')

get_rule_by_name(policy_type, rule_name)

Returns the specified policy rule by its name.

Parameters:

• policy_type (str) – The type of policy to be returned. Accepted values are: access, timeout, client_forwarding, siem

• rule_name (str) – The name of the policy rule.

Returns:

The resource record for the requested rule.

Return type:

Box

Examples

>>> policy_rule = zpa.policies.get_rule_by_name(policy_type='access', rule_name='MyRule')

list_rules(policy_type, **kwargs)

Returns policy rules for a given policy type.

Parameters:

policy_type (str) –

The policy type. Accepted values are:

access - returns Access Policy rules

timeout - returns Timeout Policy rules

client_forwarding - returns Client Forwarding Policy rules

Returns:

A list of all policy rules that match the requested type.

Return type:

list

Examples

>>> for policy in zpa.policies.list_type('type')
...    pprint(policy)

reformat_params = [('app_server_group_ids', 'appServerGroups'), ('app_connector_group_ids', 'appConnectorGroups')]

reorder_rule(policy_type, rule_id, rule_order)

Change the order of an existing policy rule.

Parameters:

• rule_id (str) – The unique id of the rule that will be reordered.

• rule_order (str) – The new order for the rule.

• policy_type (str) –

  The policy type. Accepted values are:

  access

  timeout

  client_forwarding

Returns:

The updated policy rule resource record.

Return type:

Box

Examples

Updates the order for an existing policy rule:

>>> zpa.policies.reorder_rule(policy_type='access',
...    rule_id='88888',
...    rule_order='2')

sort_key(rules_orders)

update_access_rule(policy_type, rule_id, app_connector_group_ids=None, app_server_group_ids=None, **kwargs)

Update an existing policy rule.

Ensure you are using the correct arguments for the policy type that you want to update.

Parameters:

• policy_type (str) –

  …

• rule_id (str) –

  …

• **kwargs –

  …

Keyword Arguments:

• ... –

• app_connector_group_ids (list of str) – A list of application connector IDs that will be attached to the access policy rule. Defaults to an empty list.

• app_server_group_ids (list of str) – A list of server group IDs that will be attached to the access policy rule. Defaults to an empty list.

Returns:

The updated policy-rule resource record.

Return type:

Box

Examples

…

update_rule(policy_type, rule_id, **kwargs)

Update an existing policy rule.

Ensure you are using the correct arguments for the policy type that you want to update.

Parameters:

• policy_type (str) –

  The policy type. Accepted values are:

  access

  timeout

  client_forwarding

• rule_id (str) – The unique identifier for the rule to be updated.

• **kwargs – Optional keyword args.

Keyword Arguments:

• action (str) –

  The action for the policy. Accepted values are:

  allow

  deny

  intercept

  intercept_accessible

  bypass

• conditions (list) –

  A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.

  [('app', 'id', '926196382959075416'),
  ('app', 'id', '926196382959075417'),
  ('app_group', 'id', '926196382959075332),
  ('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'),
  ('trusted_network', 'b15e4cad-fa6e-8182-9fc3-8125ee6a65e1', True)]
  

• custom_msg (str) – A custom message.

• description (str) – A description for the rule.

• re_auth_idle_timeout (int) – The re-authentication idle timeout value in seconds.

• re_auth_timeout (int) – The re-authentication timeout value in seconds.

Returns:

The updated policy-rule resource record.

Return type:

Box

Examples

Updates the name only for an Access Policy rule:

>>> zpa.policies.update_rule('access', '99999', name='new_rule_name')

Updates the action only for a Client Forwarding Policy rule:

>>> zpa.policies.update_rule('client_forwarding', '888888', action='BYPASS')