key |
|
|
string |
Top level element, contains the ID of the connection policy. |
body |
|
|
Top level element (string) |
The elements of the connection policy. |
|
access_control |
|
Top level list |
Collection of access policies. Access policies define who can authorize and audit a connection. |
|
active |
|
boolean |
Set to false to suspend the connection policy. Connection settings are preserved. |
|
client_side_transport_security |
|
Top level item |
Defines the Transport Layer Security (TLS) settings for the connection between SPS and the client. For example: "client_side_transport_security": {
"selection": "disabled"
}, |
|
indexing |
|
Top level item |
Configures indexing for the connection policy. |
|
|
enabled |
boolean |
Set to true to enable indexing the connections. |
|
|
policy |
string |
References the identifier of the indexing policy. You can configure indexing policies at the /api/configuration/policies/indexing/ endpoint.
To modify or add an indexing policy, use the value of the returned key as the value of the policy element, and remove any child elements (including the key). |
|
|
priority |
int |
Specifies the indexing priority for the connection. Possible values are:
|
|
log_audit_trail_downloads |
|
boolean |
Set to true to log audit trail downloads. |
|
name |
|
string |
The name of the connection policy. |
|
network |
|
|
|
|
|
clients |
list, string |
List of client ("from") IP addresses. |
|
|
ports |
list, integers |
List of target ports. |
|
|
targets |
list, string |
List of target IP addresses. |
|
override_log_level |
|
Top level item |
Specifies the verbosity level of sessions handled by this connection policy. The log level of other connection policies is not affected. If disabled, the log level set at the /api/configuration/<protocol>/options endpoint is used.
-
To use the default log level, disable this option: "override_log_level": {
"enabled": false
},
-
To use a custom log level for the connection policy, enable this option and set the log level to use: "override_log_level": {
"enabled": true,
"log_level": 5
}, |
|
policies |
|
Top level item |
List of policies referenced by the connection policy. |
|
|
analytics_policy |
string |
References the identifier of the analytics policy. You can configure analytics policies at the /api/configuration/analytics/ endpoint.
To add or modify an analytics policy, use the value of the returned key as the value of the analytics element, and remove any child elements (including the key). |
|
|
archive_cleanup_policy |
string |
References the identifier of the archive/cleanup policy. You can configure archive and cleanup policies at the /api/configuration/policies/archive_cleanup_policies/ endpoint.
To modify or add an archive/cleanup policy, use the value of the returned key as the value of the archive_cleanup_policy element, and remove any child elements (including the key). |
|
|
audit_policy |
string |
Cannot be null.
References the identifier of the audit policy. You can configure audit policies at the /api/configuration/policies/audit_policies/ endpoint.
To modify or add an audit policy, use the value of the returned key as the value of the audit_policy element, and remove any child elements (including the key). |
|
|
backup_policy |
string |
References the identifier of the backup policy. You can configure backup policies at the /api/configuration/policies/backup_policies/ endpoint.
To modify or add a backup policy, use the value of the returned key as the value of the backup_policy element, and remove any child elements (including the key). |
|
|
channel_policy |
string |
References the identifier of the channel policy. The value of this option cannot be null.
To modify or add a channel policy, use the value of the returned key as the value of the channel_policy element, and remove any child elements (including the key).
You can configure VNC channel policies at the /api/configuration/vnc/channel_policies/ endpoint. |
|
|
settings |
string |
References the identifier of the settings policy. The value of this option cannot be null.
To modify or add a settings policy for this protocol, use the value of the returned key as the value of the settings element, and remove any child elements (including the key). |
|
rate_limit |
|
Top level element |
Connection rate limit. |
|
|
enabled |
boolean |
Set to true to provide a connection rate limit. |
|
|
value |
int |
The number of connections (per minute) that are allowed in the connection policy. |
|
server_address |
|
Top level item |
Defines the address where the clients connect to. |
|
|
custom_dns |
string |
Configures a DNS server that is used to reverse-resolve the hostname if the Channel Policy contains the address of the target as a hostname instead of an IP address. By default, this is disabled and SPS uses the DNS server set in the /api/configuration/network/dns endpoint.
-
To use the default DNS, disable this option: "server_address": {
"custom_dns": {
"enabled": false
},
...
},
-
To use a custom DNS, enable this option and set the IP address of the domain name server to use: "server_address": {
"custom_dns": {
"enabled": true,
"server": "192.168.1.1"
},
...
}, |
|
|
selection |
string |
Configures the address where the clients connect to. Possible values are
-
original
Connect to the same address specified by the client.
-
nat
Perform a network address translation on the target address.
Must be used with the network element.
-
fix
Must be used with the address and port elements.
-
inband
Extract the address of the server from the username.
Must be used with the domains element.
Optional elements: exception_domains, dns_server, and dns_suffixes.
: |
|
server_side_transport_security |
|
Top level item |
Defines the Transport Layer Security (TLS) settings for the connection between SPS and the server. For example: "server_side_transport_security": {
"selection": "disabled"
}, |
|
source_address |
|
Top level element |
Allows you to configure Source Network Address Translation (SNAT) on the server side of SPS. SNAT determines the IP address SPS uses in the server-side connection. The target server will see the connection coming from this address. |
|
|
selection |
string |
Configures Source Network Address Translation. Possible values are:
-
box_address
Default. Uses the network address of the logical interface of SPS.
-
original
Uses the IP address of the client, as seen by SPS.
-
fix
Uses a fixed address when connecting to the remote server.
Must be used with the address element. |
|
|
address |
string |
Must be used if the value of the selection element is set to fix.
The IP address to use as the source address in server-side connections. |
|
web_gateway_authentication |
|
Top level item |
When gateway authentication is required for a connection, the user must authenticate on SPS as well. This additional authentication can be performed out-of-band on the SPS web interface for every protocol. |
|
|
enabled |
boolean |
Set to true to enable additional gateway authentication on the SPS web interface. |
|
|
groups |
list, string |
By default, any user can perform gateway authentication for the connections. You can restrict authentication to members of specific usergroups. Define the usergroups at the /api/configuration/aaa/local_database/groups/ endpoint, and list the name of each group here. |
|
|
require_same_ip |
boolean |
Set to true to only accept web gateway authentication from the same host that initiated the connection. |