scm.getZoneProtectionProfileList

Strata Cloud Manager v0.4.3, Nov 8 25

Strata Cloud Manager v0.4.3 published on Saturday, Nov 8, 2025 by Pulumi

Schema (JSON)

pulumi/pulumi-scm

Strata Cloud Manager v0.4.3 published on Saturday, Nov 8, 2025 by Pulumi

Schema (JSON)

pulumi/pulumi-scm

Using getZoneProtectionProfileList

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getZoneProtectionProfileList(args: GetZoneProtectionProfileListArgs, opts?: InvokeOptions): Promise<GetZoneProtectionProfileListResult>
function getZoneProtectionProfileListOutput(args: GetZoneProtectionProfileListOutputArgs, opts?: InvokeOptions): Output<GetZoneProtectionProfileListResult>

def get_zone_protection_profile_list(device: Optional[str] = None,
                                     folder: Optional[str] = None,
                                     limit: Optional[int] = None,
                                     name: Optional[str] = None,
                                     offset: Optional[int] = None,
                                     snippet: Optional[str] = None,
                                     opts: Optional[InvokeOptions] = None) -> GetZoneProtectionProfileListResult
def get_zone_protection_profile_list_output(device: Optional[pulumi.Input[str]] = None,
                                     folder: Optional[pulumi.Input[str]] = None,
                                     limit: Optional[pulumi.Input[int]] = None,
                                     name: Optional[pulumi.Input[str]] = None,
                                     offset: Optional[pulumi.Input[int]] = None,
                                     snippet: Optional[pulumi.Input[str]] = None,
                                     opts: Optional[InvokeOptions] = None) -> Output[GetZoneProtectionProfileListResult]

func GetZoneProtectionProfileList(ctx *Context, args *GetZoneProtectionProfileListArgs, opts ...InvokeOption) (*GetZoneProtectionProfileListResult, error)
func GetZoneProtectionProfileListOutput(ctx *Context, args *GetZoneProtectionProfileListOutputArgs, opts ...InvokeOption) GetZoneProtectionProfileListResultOutput

> Note: This function is named GetZoneProtectionProfileList in the Go SDK.

public static class GetZoneProtectionProfileList 
{
    public static Task<GetZoneProtectionProfileListResult> InvokeAsync(GetZoneProtectionProfileListArgs args, InvokeOptions? opts = null)
    public static Output<GetZoneProtectionProfileListResult> Invoke(GetZoneProtectionProfileListInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetZoneProtectionProfileListResult> getZoneProtectionProfileList(GetZoneProtectionProfileListArgs args, InvokeOptions options)
public static Output<GetZoneProtectionProfileListResult> getZoneProtectionProfileList(GetZoneProtectionProfileListArgs args, InvokeOptions options)

fn::invoke:
  function: scm:index/getZoneProtectionProfileList:getZoneProtectionProfileList
  arguments:
    # arguments dictionary

The following arguments are supported:

Device string
Folder string
Limit int
Name string
Offset int
Snippet string

Device string
Folder string
Limit int
Name string
Offset int
Snippet string

device String
folder String
limit Integer
name String
offset Integer
snippet String

device string
folder string
limit number
name string
offset number
snippet string

device str
folder str
limit int
name str
offset int
snippet str

device String
folder String
limit Number
name String
offset Number
snippet String

getZoneProtectionProfileList Result

The following output properties are available:

Datas List<GetZoneProtectionProfileListData>
Id string: The provider-assigned unique ID for this managed resource.
Tfid string
Total int
Device string
Folder string
Limit int
Name string
Offset int
Snippet string

Datas []GetZoneProtectionProfileListData
Id string: The provider-assigned unique ID for this managed resource.
Tfid string
Total int
Device string
Folder string
Limit int
Name string
Offset int
Snippet string

datas List<GetZoneProtectionProfileListData>
id String: The provider-assigned unique ID for this managed resource.
tfid String
total Integer
device String
folder String
limit Integer
name String
offset Integer
snippet String

datas GetZoneProtectionProfileListData[]
id string: The provider-assigned unique ID for this managed resource.
tfid string
total number
device string
folder string
limit number
name string
offset number
snippet string

datas Sequence[GetZoneProtectionProfileListData]
id str: The provider-assigned unique ID for this managed resource.
tfid str
total int
device str
folder str
limit int
name str
offset int
snippet str

datas List<Property Map>
id String: The provider-assigned unique ID for this managed resource.
tfid String
total Number
device String
folder String
limit Number
name String
offset Number
snippet String

Supporting Types

GetZoneProtectionProfileListData

AsymmetricPath string

Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

global — Use system-wide setting that is assigned through TCP Settings or the CLI.
drop — Drop packets that contain an asymmetric path.
bypass — Bypass scanning on packets that contain an asymmetric path.

Description string

The description of the profile

Device string

The device in which the resource is defined

DiscardIcmpEmbeddedError bool

Discard ICMP packets that are embedded with an error message.

Flood GetZoneProtectionProfileListDataFlood

Flood

Folder string

The folder in which the resource is defined

FragmentedTrafficDiscard bool

Discard fragmented IP packets.

IcmpFragDiscard bool

Discard packets that consist of ICMP fragments.

IcmpLargePacketDiscard bool

Discard ICMP packets that are larger than 1024 bytes.

IcmpPingZeroIdDiscard bool

Discard packets if the ICMP ping packet has an identifier value of 0.

Id string

UUID of the resource

Ipv6 GetZoneProtectionProfileListDataIpv6

Ipv6

L2SecGroupTagProtection GetZoneProtectionProfileListDataL2SecGroupTagProtection

L2 sec group tag protection

LooseSourceRoutingDiscard bool

Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.

MalformedOptionDiscard bool

Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.

MismatchedOverlappingTcpSegmentDiscard bool

Drop packets with mismatched overlapping TCP segments.

MptcpOptionStrip string

MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

no — Enable MPTCP support (do not strip the MPTCP option).
yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).

Name string

The profile name

NonIpProtocol GetZoneProtectionProfileListDataNonIpProtocol

Non ip protocol

RecordRouteDiscard bool

Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.

RejectNonSynTcp string

Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

global — Use system-wide setting that is assigned through the CLI.
yes — Reject non-SYN TCP.
no — Accept non-SYN TCP.

ScanWhiteLists List<GetZoneProtectionProfileListDataScanWhiteList>

Scan white list

Scans List<GetZoneProtectionProfileListDataScan>

Scan

SecurityDiscard bool

Discard packets if the security option is defined.

Snippet string

The snippet in which the resource is defined

SpoofedIpDiscard bool

Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.

StreamIdDiscard bool

Discard packets if the Stream ID option is defined.

StrictIpCheck bool

Check that both conditions are true:

The source IP address is not the subnet broadcast IP address of the ingress interface.
The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.

StrictSourceRoutingDiscard bool

Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.

SuppressIcmpNeedfrag bool

Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.

SuppressIcmpTimeexceeded bool

Stop sending ICMP TTL expired messages.

TcpFastOpenAndDataStrip bool

Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.

TcpHandshakeDiscard bool

Drop packets with split handshakes.

TcpSynWithDataDiscard bool

Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.

TcpSynackWithDataDiscard bool

Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.

TcpTimestampStrip bool

Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.

Tfid string

TimestampDiscard bool

Discard packets with the Timestamp IP option set.

UnknownOptionDiscard bool

Discard packets if the class and number are unknown.

AsymmetricPath string

Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

global — Use system-wide setting that is assigned through TCP Settings or the CLI.
drop — Drop packets that contain an asymmetric path.
bypass — Bypass scanning on packets that contain an asymmetric path.

Description string

The description of the profile

Device string

The device in which the resource is defined

DiscardIcmpEmbeddedError bool

Discard ICMP packets that are embedded with an error message.

Flood GetZoneProtectionProfileListDataFlood

Flood

Folder string

The folder in which the resource is defined

FragmentedTrafficDiscard bool

Discard fragmented IP packets.

IcmpFragDiscard bool

Discard packets that consist of ICMP fragments.

IcmpLargePacketDiscard bool

Discard ICMP packets that are larger than 1024 bytes.

IcmpPingZeroIdDiscard bool

Discard packets if the ICMP ping packet has an identifier value of 0.

Id string

UUID of the resource

Ipv6 GetZoneProtectionProfileListDataIpv6

Ipv6

L2SecGroupTagProtection GetZoneProtectionProfileListDataL2SecGroupTagProtection

L2 sec group tag protection

LooseSourceRoutingDiscard bool

MalformedOptionDiscard bool

Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.

MismatchedOverlappingTcpSegmentDiscard bool

Drop packets with mismatched overlapping TCP segments.

MptcpOptionStrip string

no — Enable MPTCP support (do not strip the MPTCP option).
yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).

Name string

The profile name

NonIpProtocol GetZoneProtectionProfileListDataNonIpProtocol

Non ip protocol

RecordRouteDiscard bool

RejectNonSynTcp string

Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

global — Use system-wide setting that is assigned through the CLI.
yes — Reject non-SYN TCP.
no — Accept non-SYN TCP.

ScanWhiteLists []GetZoneProtectionProfileListDataScanWhiteList

Scan white list

Scans []GetZoneProtectionProfileListDataScan

Scan

SecurityDiscard bool

Discard packets if the security option is defined.

Snippet string

The snippet in which the resource is defined

SpoofedIpDiscard bool

Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.

StreamIdDiscard bool

Discard packets if the Stream ID option is defined.

StrictIpCheck bool

Check that both conditions are true:

The source IP address is not the subnet broadcast IP address of the ingress interface.
The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.

StrictSourceRoutingDiscard bool

SuppressIcmpNeedfrag bool

SuppressIcmpTimeexceeded bool

Stop sending ICMP TTL expired messages.

TcpFastOpenAndDataStrip bool

Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.

TcpHandshakeDiscard bool

Drop packets with split handshakes.

TcpSynWithDataDiscard bool

Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.

TcpSynackWithDataDiscard bool

Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.

TcpTimestampStrip bool

Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.

Tfid string

TimestampDiscard bool

Discard packets with the Timestamp IP option set.

UnknownOptionDiscard bool

Discard packets if the class and number are unknown.

asymmetricPath String

Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

global — Use system-wide setting that is assigned through TCP Settings or the CLI.
drop — Drop packets that contain an asymmetric path.
bypass — Bypass scanning on packets that contain an asymmetric path.

description String

The description of the profile

device String

The device in which the resource is defined

discardIcmpEmbeddedError Boolean

Discard ICMP packets that are embedded with an error message.

flood GetZoneProtectionProfileListDataFlood

Flood

folder String

The folder in which the resource is defined

fragmentedTrafficDiscard Boolean

Discard fragmented IP packets.

icmpFragDiscard Boolean

Discard packets that consist of ICMP fragments.

icmpLargePacketDiscard Boolean

Discard ICMP packets that are larger than 1024 bytes.

icmpPingZeroIdDiscard Boolean

Discard packets if the ICMP ping packet has an identifier value of 0.

id String

UUID of the resource

ipv6 GetZoneProtectionProfileListDataIpv6

Ipv6

l2SecGroupTagProtection GetZoneProtectionProfileListDataL2SecGroupTagProtection

L2 sec group tag protection

looseSourceRoutingDiscard Boolean

malformedOptionDiscard Boolean

Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.

mismatchedOverlappingTcpSegmentDiscard Boolean

Drop packets with mismatched overlapping TCP segments.

mptcpOptionStrip String

no — Enable MPTCP support (do not strip the MPTCP option).
yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).

name String

The profile name

nonIpProtocol GetZoneProtectionProfileListDataNonIpProtocol

Non ip protocol

recordRouteDiscard Boolean

rejectNonSynTcp String

Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

global — Use system-wide setting that is assigned through the CLI.
yes — Reject non-SYN TCP.
no — Accept non-SYN TCP.

scanWhiteLists List<GetZoneProtectionProfileListDataScanWhiteList>

Scan white list

scans List<GetZoneProtectionProfileListDataScan>

Scan

securityDiscard Boolean

Discard packets if the security option is defined.

snippet String

The snippet in which the resource is defined

spoofedIpDiscard Boolean

Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.

streamIdDiscard Boolean

Discard packets if the Stream ID option is defined.

strictIpCheck Boolean

Check that both conditions are true:

The source IP address is not the subnet broadcast IP address of the ingress interface.
The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.

strictSourceRoutingDiscard Boolean

suppressIcmpNeedfrag Boolean

suppressIcmpTimeexceeded Boolean

Stop sending ICMP TTL expired messages.

tcpFastOpenAndDataStrip Boolean

Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.

tcpHandshakeDiscard Boolean

Drop packets with split handshakes.

tcpSynWithDataDiscard Boolean

Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.

tcpSynackWithDataDiscard Boolean

Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.

tcpTimestampStrip Boolean

Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.

tfid String

timestampDiscard Boolean

Discard packets with the Timestamp IP option set.

unknownOptionDiscard Boolean

Discard packets if the class and number are unknown.

asymmetricPath string

Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

global — Use system-wide setting that is assigned through TCP Settings or the CLI.
drop — Drop packets that contain an asymmetric path.
bypass — Bypass scanning on packets that contain an asymmetric path.

description string

The description of the profile

device string

The device in which the resource is defined

discardIcmpEmbeddedError boolean

Discard ICMP packets that are embedded with an error message.

flood GetZoneProtectionProfileListDataFlood

Flood

folder string

The folder in which the resource is defined

fragmentedTrafficDiscard boolean

Discard fragmented IP packets.

icmpFragDiscard boolean

Discard packets that consist of ICMP fragments.

icmpLargePacketDiscard boolean

Discard ICMP packets that are larger than 1024 bytes.

icmpPingZeroIdDiscard boolean

Discard packets if the ICMP ping packet has an identifier value of 0.

id string

UUID of the resource

ipv6 GetZoneProtectionProfileListDataIpv6

Ipv6

l2SecGroupTagProtection GetZoneProtectionProfileListDataL2SecGroupTagProtection

L2 sec group tag protection

looseSourceRoutingDiscard boolean

malformedOptionDiscard boolean

Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.

mismatchedOverlappingTcpSegmentDiscard boolean

Drop packets with mismatched overlapping TCP segments.

mptcpOptionStrip string

no — Enable MPTCP support (do not strip the MPTCP option).
yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).

name string

The profile name

nonIpProtocol GetZoneProtectionProfileListDataNonIpProtocol

Non ip protocol

recordRouteDiscard boolean

rejectNonSynTcp string

Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

global — Use system-wide setting that is assigned through the CLI.
yes — Reject non-SYN TCP.
no — Accept non-SYN TCP.

scanWhiteLists GetZoneProtectionProfileListDataScanWhiteList[]

Scan white list

scans GetZoneProtectionProfileListDataScan[]

Scan

securityDiscard boolean

Discard packets if the security option is defined.

snippet string

The snippet in which the resource is defined

spoofedIpDiscard boolean

Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.

streamIdDiscard boolean

Discard packets if the Stream ID option is defined.

strictIpCheck boolean

Check that both conditions are true:

The source IP address is not the subnet broadcast IP address of the ingress interface.
The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.

strictSourceRoutingDiscard boolean

suppressIcmpNeedfrag boolean

suppressIcmpTimeexceeded boolean

Stop sending ICMP TTL expired messages.

tcpFastOpenAndDataStrip boolean

Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.

tcpHandshakeDiscard boolean

Drop packets with split handshakes.

tcpSynWithDataDiscard boolean

Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.

tcpSynackWithDataDiscard boolean

Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.

tcpTimestampStrip boolean

Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.

tfid string

timestampDiscard boolean

Discard packets with the Timestamp IP option set.

unknownOptionDiscard boolean

Discard packets if the class and number are unknown.

asymmetric_path str

Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

global — Use system-wide setting that is assigned through TCP Settings or the CLI.
drop — Drop packets that contain an asymmetric path.
bypass — Bypass scanning on packets that contain an asymmetric path.

description str

The description of the profile

device str

The device in which the resource is defined

discard_icmp_embedded_error bool

Discard ICMP packets that are embedded with an error message.

flood GetZoneProtectionProfileListDataFlood

Flood

folder str

The folder in which the resource is defined

fragmented_traffic_discard bool

Discard fragmented IP packets.

icmp_frag_discard bool

Discard packets that consist of ICMP fragments.

icmp_large_packet_discard bool

Discard ICMP packets that are larger than 1024 bytes.

icmp_ping_zero_id_discard bool

Discard packets if the ICMP ping packet has an identifier value of 0.

id str

UUID of the resource

ipv6 GetZoneProtectionProfileListDataIpv6

Ipv6

l2_sec_group_tag_protection GetZoneProtectionProfileListDataL2SecGroupTagProtection

L2 sec group tag protection

loose_source_routing_discard bool

malformed_option_discard bool

Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.

mismatched_overlapping_tcp_segment_discard bool

Drop packets with mismatched overlapping TCP segments.

mptcp_option_strip str

no — Enable MPTCP support (do not strip the MPTCP option).
yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).

name str

The profile name

non_ip_protocol GetZoneProtectionProfileListDataNonIpProtocol

Non ip protocol

record_route_discard bool

reject_non_syn_tcp str

Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

global — Use system-wide setting that is assigned through the CLI.
yes — Reject non-SYN TCP.
no — Accept non-SYN TCP.

scan_white_lists Sequence[GetZoneProtectionProfileListDataScanWhiteList]

Scan white list

scans Sequence[GetZoneProtectionProfileListDataScan]

Scan

security_discard bool

Discard packets if the security option is defined.

snippet str

The snippet in which the resource is defined

spoofed_ip_discard bool

Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.

stream_id_discard bool

Discard packets if the Stream ID option is defined.

strict_ip_check bool

Check that both conditions are true:

The source IP address is not the subnet broadcast IP address of the ingress interface.
The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.

strict_source_routing_discard bool

suppress_icmp_needfrag bool

suppress_icmp_timeexceeded bool

Stop sending ICMP TTL expired messages.

tcp_fast_open_and_data_strip bool

Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.

tcp_handshake_discard bool

Drop packets with split handshakes.

tcp_syn_with_data_discard bool

Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.

tcp_synack_with_data_discard bool

Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.

tcp_timestamp_strip bool

Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.

tfid str

timestamp_discard bool

Discard packets with the Timestamp IP option set.

unknown_option_discard bool

Discard packets if the class and number are unknown.

asymmetricPath String

Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

global — Use system-wide setting that is assigned through TCP Settings or the CLI.
drop — Drop packets that contain an asymmetric path.
bypass — Bypass scanning on packets that contain an asymmetric path.

description String

The description of the profile

device String

The device in which the resource is defined

discardIcmpEmbeddedError Boolean

Discard ICMP packets that are embedded with an error message.

flood Property Map

Flood

folder String

The folder in which the resource is defined

fragmentedTrafficDiscard Boolean

Discard fragmented IP packets.

icmpFragDiscard Boolean

Discard packets that consist of ICMP fragments.

icmpLargePacketDiscard Boolean

Discard ICMP packets that are larger than 1024 bytes.

icmpPingZeroIdDiscard Boolean

Discard packets if the ICMP ping packet has an identifier value of 0.

id String

UUID of the resource

ipv6 Property Map

Ipv6

l2SecGroupTagProtection Property Map

L2 sec group tag protection

looseSourceRoutingDiscard Boolean

malformedOptionDiscard Boolean

Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.

mismatchedOverlappingTcpSegmentDiscard Boolean

Drop packets with mismatched overlapping TCP segments.

mptcpOptionStrip String

no — Enable MPTCP support (do not strip the MPTCP option).
yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).

name String

The profile name

nonIpProtocol Property Map

Non ip protocol

recordRouteDiscard Boolean

rejectNonSynTcp String

Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

global — Use system-wide setting that is assigned through the CLI.
yes — Reject non-SYN TCP.
no — Accept non-SYN TCP.

scanWhiteLists List<Property Map>

Scan white list

scans List<Property Map>

Scan

securityDiscard Boolean

Discard packets if the security option is defined.

snippet String

The snippet in which the resource is defined

spoofedIpDiscard Boolean

Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.

streamIdDiscard Boolean

Discard packets if the Stream ID option is defined.

strictIpCheck Boolean

Check that both conditions are true:

The source IP address is not the subnet broadcast IP address of the ingress interface.
The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.

strictSourceRoutingDiscard Boolean

suppressIcmpNeedfrag Boolean

suppressIcmpTimeexceeded Boolean

Stop sending ICMP TTL expired messages.

tcpFastOpenAndDataStrip Boolean

Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.

tcpHandshakeDiscard Boolean

Drop packets with split handshakes.

tcpSynWithDataDiscard Boolean

Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.

tcpSynackWithDataDiscard Boolean

Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.

tcpTimestampStrip Boolean

Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.

tfid String

timestampDiscard Boolean

Discard packets with the Timestamp IP option set.

unknownOptionDiscard Boolean

Discard packets if the class and number are unknown.

GetZoneProtectionProfileListDataFlood

Icmp GetZoneProtectionProfileListDataFloodIcmp: Icmp
Icmpv6 GetZoneProtectionProfileListDataFloodIcmpv6: Icmpv6
OtherIp GetZoneProtectionProfileListDataFloodOtherIp: Other ip
SctpInit GetZoneProtectionProfileListDataFloodSctpInit: Sctp init
TcpSyn GetZoneProtectionProfileListDataFloodTcpSyn: Tcp syn
Udp GetZoneProtectionProfileListDataFloodUdp: Udp

Icmp GetZoneProtectionProfileListDataFloodIcmp: Icmp
Icmpv6 GetZoneProtectionProfileListDataFloodIcmpv6: Icmpv6
OtherIp GetZoneProtectionProfileListDataFloodOtherIp: Other ip
SctpInit GetZoneProtectionProfileListDataFloodSctpInit: Sctp init
TcpSyn GetZoneProtectionProfileListDataFloodTcpSyn: Tcp syn
Udp GetZoneProtectionProfileListDataFloodUdp: Udp

icmp GetZoneProtectionProfileListDataFloodIcmp: Icmp
icmpv6 GetZoneProtectionProfileListDataFloodIcmpv6: Icmpv6
otherIp GetZoneProtectionProfileListDataFloodOtherIp: Other ip
sctpInit GetZoneProtectionProfileListDataFloodSctpInit: Sctp init
tcpSyn GetZoneProtectionProfileListDataFloodTcpSyn: Tcp syn
udp GetZoneProtectionProfileListDataFloodUdp: Udp

icmp GetZoneProtectionProfileListDataFloodIcmp: Icmp
icmpv6 GetZoneProtectionProfileListDataFloodIcmpv6: Icmpv6
otherIp GetZoneProtectionProfileListDataFloodOtherIp: Other ip
sctpInit GetZoneProtectionProfileListDataFloodSctpInit: Sctp init
tcpSyn GetZoneProtectionProfileListDataFloodTcpSyn: Tcp syn
udp GetZoneProtectionProfileListDataFloodUdp: Udp

icmp GetZoneProtectionProfileListDataFloodIcmp: Icmp
icmpv6 GetZoneProtectionProfileListDataFloodIcmpv6: Icmpv6
other_ip GetZoneProtectionProfileListDataFloodOtherIp: Other ip
sctp_init GetZoneProtectionProfileListDataFloodSctpInit: Sctp init
tcp_syn GetZoneProtectionProfileListDataFloodTcpSyn: Tcp syn
udp GetZoneProtectionProfileListDataFloodUdp: Udp

icmp Property Map: Icmp
icmpv6 Property Map: Icmpv6
otherIp Property Map: Other ip
sctpInit Property Map: Sctp init
tcpSyn Property Map: Tcp syn
udp Property Map: Udp

GetZoneProtectionProfileListDataFloodIcmp

Enable bool: Enable protection against ICMP floods?
Red GetZoneProtectionProfileListDataFloodIcmpRed: Red

Enable bool: Enable protection against ICMP floods?
Red GetZoneProtectionProfileListDataFloodIcmpRed: Red

enable Boolean: Enable protection against ICMP floods?
red GetZoneProtectionProfileListDataFloodIcmpRed: Red

enable boolean: Enable protection against ICMP floods?
red GetZoneProtectionProfileListDataFloodIcmpRed: Red

enable bool: Enable protection against ICMP floods?
red GetZoneProtectionProfileListDataFloodIcmpRed: Red

enable Boolean: Enable protection against ICMP floods?
red Property Map: Red

GetZoneProtectionProfileListDataFloodIcmpRed

ActivateRate int: The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
AlarmRate int: The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
MaximalRate int: The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

ActivateRate int: The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
AlarmRate int: The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
MaximalRate int: The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activateRate Integer: The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
alarmRate Integer: The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate Integer: The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activateRate number: The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
alarmRate number: The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate number: The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activate_rate int: The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
alarm_rate int: The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximal_rate int: The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activateRate Number: The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
alarmRate Number: The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate Number: The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

GetZoneProtectionProfileListDataFloodIcmpv6

Enable bool: Enable protection against ICMPv6 floods?
Red GetZoneProtectionProfileListDataFloodIcmpv6Red: Red

Enable bool: Enable protection against ICMPv6 floods?
Red GetZoneProtectionProfileListDataFloodIcmpv6Red: Red

enable Boolean: Enable protection against ICMPv6 floods?
red GetZoneProtectionProfileListDataFloodIcmpv6Red: Red

enable boolean: Enable protection against ICMPv6 floods?
red GetZoneProtectionProfileListDataFloodIcmpv6Red: Red

enable bool: Enable protection against ICMPv6 floods?
red GetZoneProtectionProfileListDataFloodIcmpv6Red: Red

enable Boolean: Enable protection against ICMPv6 floods?
red Property Map: Red

GetZoneProtectionProfileListDataFloodIcmpv6Red

ActivateRate int: The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
AlarmRate int: The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
MaximalRate int: The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

ActivateRate int: The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
AlarmRate int: The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
MaximalRate int: The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activateRate Integer: The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
alarmRate Integer: The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate Integer: The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activateRate number: The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
alarmRate number: The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate number: The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activate_rate int: The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
alarm_rate int: The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximal_rate int: The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activateRate Number: The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
alarmRate Number: The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate Number: The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

GetZoneProtectionProfileListDataFloodOtherIp

Enable bool: Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
Red GetZoneProtectionProfileListDataFloodOtherIpRed: Red

Enable bool: Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
Red GetZoneProtectionProfileListDataFloodOtherIpRed: Red

enable Boolean: Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
red GetZoneProtectionProfileListDataFloodOtherIpRed: Red

enable boolean: Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
red GetZoneProtectionProfileListDataFloodOtherIpRed: Red

enable bool: Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
red GetZoneProtectionProfileListDataFloodOtherIpRed: Red

enable Boolean: Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
red Property Map: Red

GetZoneProtectionProfileListDataFloodOtherIpRed

ActivateRate int: Activate rate
AlarmRate int: Alarm rate
MaximalRate int: Maximal rate

ActivateRate int: Activate rate
AlarmRate int: Alarm rate
MaximalRate int: Maximal rate

activateRate Integer: Activate rate
alarmRate Integer: Alarm rate
maximalRate Integer: Maximal rate

activateRate number: Activate rate
alarmRate number: Alarm rate
maximalRate number: Maximal rate

activate_rate int: Activate rate
alarm_rate int: Alarm rate
maximal_rate int: Maximal rate

activateRate Number: Activate rate
alarmRate Number: Alarm rate
maximalRate Number: Maximal rate

GetZoneProtectionProfileListDataFloodSctpInit

Enable bool: Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
Red GetZoneProtectionProfileListDataFloodSctpInitRed: Red

Enable bool: Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
Red GetZoneProtectionProfileListDataFloodSctpInitRed: Red

enable Boolean: Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
red GetZoneProtectionProfileListDataFloodSctpInitRed: Red

enable boolean: Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
red GetZoneProtectionProfileListDataFloodSctpInitRed: Red

enable bool: Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
red GetZoneProtectionProfileListDataFloodSctpInitRed: Red

enable Boolean: Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
red Property Map: Red

GetZoneProtectionProfileListDataFloodSctpInitRed

ActivateRate int: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
AlarmRate int: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
MaximalRate int: The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

ActivateRate int: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
AlarmRate int: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
MaximalRate int: The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activateRate Integer: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
alarmRate Integer: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate Integer: The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activateRate number: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
alarmRate number: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate number: The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activate_rate int: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
alarm_rate int: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximal_rate int: The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

activateRate Number: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
alarmRate Number: The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate Number: The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

GetZoneProtectionProfileListDataFloodTcpSyn

Enable bool: Enable protection against SYN floods?
Red GetZoneProtectionProfileListDataFloodTcpSynRed: Red
SynCookies GetZoneProtectionProfileListDataFloodTcpSynSynCookies: Syn cookies

Enable bool: Enable protection against SYN floods?
Red GetZoneProtectionProfileListDataFloodTcpSynRed: Red
SynCookies GetZoneProtectionProfileListDataFloodTcpSynSynCookies: Syn cookies

enable Boolean: Enable protection against SYN floods?
red GetZoneProtectionProfileListDataFloodTcpSynRed: Red
synCookies GetZoneProtectionProfileListDataFloodTcpSynSynCookies: Syn cookies

enable boolean: Enable protection against SYN floods?
red GetZoneProtectionProfileListDataFloodTcpSynRed: Red
synCookies GetZoneProtectionProfileListDataFloodTcpSynSynCookies: Syn cookies

enable bool: Enable protection against SYN floods?
red GetZoneProtectionProfileListDataFloodTcpSynRed: Red
syn_cookies GetZoneProtectionProfileListDataFloodTcpSynSynCookies: Syn cookies

enable Boolean: Enable protection against SYN floods?
red Property Map: Red
synCookies Property Map: Syn cookies

GetZoneProtectionProfileListDataFloodTcpSynRed

ActivateRate int: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
AlarmRate int: When the flow exceeds the alert_rate` threshold, an alarm is generated.
MaximalRate int: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

ActivateRate int: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
AlarmRate int: When the flow exceeds the alert_rate` threshold, an alarm is generated.
MaximalRate int: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

activateRate Integer: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
alarmRate Integer: When the flow exceeds the alert_rate` threshold, an alarm is generated.
maximalRate Integer: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

activateRate number: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
alarmRate number: When the flow exceeds the alert_rate` threshold, an alarm is generated.
maximalRate number: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

activate_rate int: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
alarm_rate int: When the flow exceeds the alert_rate` threshold, an alarm is generated.
maximal_rate int: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

activateRate Number: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
alarmRate Number: When the flow exceeds the alert_rate` threshold, an alarm is generated.
maximalRate Number: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

GetZoneProtectionProfileListDataFloodTcpSynSynCookies

ActivateRate int: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
AlarmRate int: When the flow exceeds the alert_rate` threshold, an alarm is generated.
MaximalRate int: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

ActivateRate int: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
AlarmRate int: When the flow exceeds the alert_rate` threshold, an alarm is generated.
MaximalRate int: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

activateRate Integer: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
alarmRate Integer: When the flow exceeds the alert_rate` threshold, an alarm is generated.
maximalRate Integer: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

activateRate number: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
alarmRate number: When the flow exceeds the alert_rate` threshold, an alarm is generated.
maximalRate number: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

activate_rate int: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
alarm_rate int: When the flow exceeds the alert_rate` threshold, an alarm is generated.
maximal_rate int: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

activateRate Number: When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
alarmRate Number: When the flow exceeds the alert_rate` threshold, an alarm is generated.
maximalRate Number: When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

GetZoneProtectionProfileListDataFloodUdp

Enable bool: Enable protection against UDP floods?
Red GetZoneProtectionProfileListDataFloodUdpRed: Red

Enable bool: Enable protection against UDP floods?
Red GetZoneProtectionProfileListDataFloodUdpRed: Red

enable Boolean: Enable protection against UDP floods?
red GetZoneProtectionProfileListDataFloodUdpRed: Red

enable boolean: Enable protection against UDP floods?
red GetZoneProtectionProfileListDataFloodUdpRed: Red

enable bool: Enable protection against UDP floods?
red GetZoneProtectionProfileListDataFloodUdpRed: Red

enable Boolean: Enable protection against UDP floods?
red Property Map: Red

GetZoneProtectionProfileListDataFloodUdpRed

ActivateRate int: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
AlarmRate int: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
MaximalRate int: The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.

ActivateRate int: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
AlarmRate int: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
MaximalRate int: The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.

activateRate Integer: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
alarmRate Integer: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate Integer: The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.

activateRate number: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
alarmRate number: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate number: The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.

activate_rate int: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
alarm_rate int: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximal_rate int: The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.

activateRate Number: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
alarmRate Number: The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
maximalRate Number: The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.

GetZoneProtectionProfileListDataIpv6

AnycastSource bool: Discard IPv6 packets that contain an anycast source address.
FilterExtHdr GetZoneProtectionProfileListDataIpv6FilterExtHdr: Filter ext hdr
Icmpv6TooBigSmallMtuDiscard bool: Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
IgnoreInvPkt GetZoneProtectionProfileListDataIpv6IgnoreInvPkt: Ignore inv pkt
Ipv4CompatibleAddress bool: Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
NeedlessFragmentHdr bool: Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
OptionsInvalidIpv6Discard bool: Discard IPv6 packets that contain invalid IPv6 options in an extension header.
ReservedFieldSetDiscard bool: Discard IPv6 packets that have a header with a reserved field not set to zero.
RoutingHeader0 bool: Drop packets with type 0 routing header.
RoutingHeader1 bool: Drop packets with type 1 routing header.
RoutingHeader253 bool: Drop packets with type 253 routing header.
RoutingHeader254 bool: Drop packets with type 254 routing header.
RoutingHeader255 bool: Drop packets with type 255 routing header.
RoutingHeader3 bool: Drop packets with type 3 routing header.
RoutingHeader4252 bool: Drop packets with type 4 to type 252 routing header.

AnycastSource bool: Discard IPv6 packets that contain an anycast source address.
FilterExtHdr GetZoneProtectionProfileListDataIpv6FilterExtHdr: Filter ext hdr
Icmpv6TooBigSmallMtuDiscard bool: Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
IgnoreInvPkt GetZoneProtectionProfileListDataIpv6IgnoreInvPkt: Ignore inv pkt
Ipv4CompatibleAddress bool: Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
NeedlessFragmentHdr bool: Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
OptionsInvalidIpv6Discard bool: Discard IPv6 packets that contain invalid IPv6 options in an extension header.
ReservedFieldSetDiscard bool: Discard IPv6 packets that have a header with a reserved field not set to zero.
RoutingHeader0 bool: Drop packets with type 0 routing header.
RoutingHeader1 bool: Drop packets with type 1 routing header.
RoutingHeader253 bool: Drop packets with type 253 routing header.
RoutingHeader254 bool: Drop packets with type 254 routing header.
RoutingHeader255 bool: Drop packets with type 255 routing header.
RoutingHeader3 bool: Drop packets with type 3 routing header.
RoutingHeader4252 bool: Drop packets with type 4 to type 252 routing header.

anycastSource Boolean: Discard IPv6 packets that contain an anycast source address.
filterExtHdr GetZoneProtectionProfileListDataIpv6FilterExtHdr: Filter ext hdr
icmpv6TooBigSmallMtuDiscard Boolean: Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
ignoreInvPkt GetZoneProtectionProfileListDataIpv6IgnoreInvPkt: Ignore inv pkt
ipv4CompatibleAddress Boolean: Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
needlessFragmentHdr Boolean: Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
optionsInvalidIpv6Discard Boolean: Discard IPv6 packets that contain invalid IPv6 options in an extension header.
reservedFieldSetDiscard Boolean: Discard IPv6 packets that have a header with a reserved field not set to zero.
routingHeader0 Boolean: Drop packets with type 0 routing header.
routingHeader1 Boolean: Drop packets with type 1 routing header.
routingHeader253 Boolean: Drop packets with type 253 routing header.
routingHeader254 Boolean: Drop packets with type 254 routing header.
routingHeader255 Boolean: Drop packets with type 255 routing header.
routingHeader3 Boolean: Drop packets with type 3 routing header.
routingHeader4252 Boolean: Drop packets with type 4 to type 252 routing header.

anycastSource boolean: Discard IPv6 packets that contain an anycast source address.
filterExtHdr GetZoneProtectionProfileListDataIpv6FilterExtHdr: Filter ext hdr
icmpv6TooBigSmallMtuDiscard boolean: Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
ignoreInvPkt GetZoneProtectionProfileListDataIpv6IgnoreInvPkt: Ignore inv pkt
ipv4CompatibleAddress boolean: Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
needlessFragmentHdr boolean: Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
optionsInvalidIpv6Discard boolean: Discard IPv6 packets that contain invalid IPv6 options in an extension header.
reservedFieldSetDiscard boolean: Discard IPv6 packets that have a header with a reserved field not set to zero.
routingHeader0 boolean: Drop packets with type 0 routing header.
routingHeader1 boolean: Drop packets with type 1 routing header.
routingHeader253 boolean: Drop packets with type 253 routing header.
routingHeader254 boolean: Drop packets with type 254 routing header.
routingHeader255 boolean: Drop packets with type 255 routing header.
routingHeader3 boolean: Drop packets with type 3 routing header.
routingHeader4252 boolean: Drop packets with type 4 to type 252 routing header.

anycast_source bool: Discard IPv6 packets that contain an anycast source address.
filter_ext_hdr GetZoneProtectionProfileListDataIpv6FilterExtHdr: Filter ext hdr
icmpv6_too_big_small_mtu_discard bool: Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
ignore_inv_pkt GetZoneProtectionProfileListDataIpv6IgnoreInvPkt: Ignore inv pkt
ipv4_compatible_address bool: Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
needless_fragment_hdr bool: Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
options_invalid_ipv6_discard bool: Discard IPv6 packets that contain invalid IPv6 options in an extension header.
reserved_field_set_discard bool: Discard IPv6 packets that have a header with a reserved field not set to zero.
routing_header0 bool: Drop packets with type 0 routing header.
routing_header1 bool: Drop packets with type 1 routing header.
routing_header253 bool: Drop packets with type 253 routing header.
routing_header254 bool: Drop packets with type 254 routing header.
routing_header255 bool: Drop packets with type 255 routing header.
routing_header3 bool: Drop packets with type 3 routing header.
routing_header4252 bool: Drop packets with type 4 to type 252 routing header.

anycastSource Boolean: Discard IPv6 packets that contain an anycast source address.
filterExtHdr Property Map: Filter ext hdr
icmpv6TooBigSmallMtuDiscard Boolean: Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
ignoreInvPkt Property Map: Ignore inv pkt
ipv4CompatibleAddress Boolean: Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
needlessFragmentHdr Boolean: Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
optionsInvalidIpv6Discard Boolean: Discard IPv6 packets that contain invalid IPv6 options in an extension header.
reservedFieldSetDiscard Boolean: Discard IPv6 packets that have a header with a reserved field not set to zero.
routingHeader0 Boolean: Drop packets with type 0 routing header.
routingHeader1 Boolean: Drop packets with type 1 routing header.
routingHeader253 Boolean: Drop packets with type 253 routing header.
routingHeader254 Boolean: Drop packets with type 254 routing header.
routingHeader255 Boolean: Drop packets with type 255 routing header.
routingHeader3 Boolean: Drop packets with type 3 routing header.
routingHeader4252 Boolean: Drop packets with type 4 to type 252 routing header.

GetZoneProtectionProfileListDataIpv6FilterExtHdr

DestOptionHdr bool: Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
HopByHopHdr bool: Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
RoutingHdr bool: Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.

DestOptionHdr bool: Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
HopByHopHdr bool: Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
RoutingHdr bool: Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.

destOptionHdr Boolean: Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
hopByHopHdr Boolean: Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
routingHdr Boolean: Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.

destOptionHdr boolean: Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
hopByHopHdr boolean: Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
routingHdr boolean: Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.

dest_option_hdr bool: Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
hop_by_hop_hdr bool: Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
routing_hdr bool: Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.

destOptionHdr Boolean: Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
hopByHopHdr Boolean: Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
routingHdr Boolean: Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.

GetZoneProtectionProfileListDataIpv6IgnoreInvPkt

DestUnreach bool: Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
ParamProblem bool: Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
PktTooBig bool: Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
Redirect bool: Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
TimeExceeded bool: Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.

DestUnreach bool: Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
ParamProblem bool: Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
PktTooBig bool: Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
Redirect bool: Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
TimeExceeded bool: Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.

destUnreach Boolean: Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
paramProblem Boolean: Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
pktTooBig Boolean: Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
redirect Boolean: Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
timeExceeded Boolean: Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.

destUnreach boolean: Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
paramProblem boolean: Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
pktTooBig boolean: Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
redirect boolean: Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
timeExceeded boolean: Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.

dest_unreach bool: Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
param_problem bool: Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
pkt_too_big bool: Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
redirect bool: Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
time_exceeded bool: Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.

destUnreach Boolean: Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
paramProblem Boolean: Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
pktTooBig Boolean: Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
redirect Boolean: Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
timeExceeded Boolean: Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.

GetZoneProtectionProfileListDataL2SecGroupTagProtection

Tags List<GetZoneProtectionProfileListDataL2SecGroupTagProtectionTag>: Tags

Tags []GetZoneProtectionProfileListDataL2SecGroupTagProtectionTag: Tags

tags List<GetZoneProtectionProfileListDataL2SecGroupTagProtectionTag>: Tags

tags GetZoneProtectionProfileListDataL2SecGroupTagProtectionTag[]: Tags

tags Sequence[GetZoneProtectionProfileListDataL2SecGroupTagProtectionTag]: Tags

tags List<Property Map>: Tags

GetZoneProtectionProfileListDataL2SecGroupTagProtectionTag

Enable bool: Enable this exclude list for Ethernet SGT protection.
Name string: Name for the list of Security Group Tags (SGTs).
Tag string: The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).

Enable bool: Enable this exclude list for Ethernet SGT protection.
Name string: Name for the list of Security Group Tags (SGTs).
Tag string: The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).

enable Boolean: Enable this exclude list for Ethernet SGT protection.
name String: Name for the list of Security Group Tags (SGTs).
tag String: The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).

enable boolean: Enable this exclude list for Ethernet SGT protection.
name string: Name for the list of Security Group Tags (SGTs).
tag string: The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).

enable bool: Enable this exclude list for Ethernet SGT protection.
name str: Name for the list of Security Group Tags (SGTs).
tag str: The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).

enable Boolean: Enable this exclude list for Ethernet SGT protection.
name String: Name for the list of Security Group Tags (SGTs).
tag String: The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).

GetZoneProtectionProfileListDataNonIpProtocol

ListType string

Specify the type of list you are creating for protocol protection:

Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).

Protocols List<GetZoneProtectionProfileListDataNonIpProtocolProtocol>

Protocol

ListType string

Specify the type of list you are creating for protocol protection:

Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).

Protocols []GetZoneProtectionProfileListDataNonIpProtocolProtocol

Protocol

listType String

Specify the type of list you are creating for protocol protection:

Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).

protocols List<GetZoneProtectionProfileListDataNonIpProtocolProtocol>

Protocol

listType string

Specify the type of list you are creating for protocol protection:

Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).

protocols GetZoneProtectionProfileListDataNonIpProtocolProtocol[]

Protocol

list_type str

Specify the type of list you are creating for protocol protection:

Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).

protocols Sequence[GetZoneProtectionProfileListDataNonIpProtocolProtocol]

Protocol

listType String

Specify the type of list you are creating for protocol protection:

Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).

protocols List<Property Map>

Protocol

GetZoneProtectionProfileListDataNonIpProtocolProtocol

Enable bool

Enable the Ethertype code on the list.

EtherType string

Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

Name string

Enter the protocol name that corresponds to the Ethertype code you are adding to the list. The firewall does not verify that the protocol name matches the Ethertype code but the Ethertype code does determine the protocol filter.

Enable bool

Enable the Ethertype code on the list.

EtherType string

Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

Name string

enable Boolean

Enable the Ethertype code on the list.

etherType String

Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

name String

enable boolean

Enable the Ethertype code on the list.

etherType string

Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

name string

enable bool

Enable the Ethertype code on the list.

ether_type str

Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

name str

enable Boolean

Enable the Ethertype code on the list.

etherType String

Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

name String