APIs.io Engineering Platform · Schema
zero-trust-gateway_rule-settings
Additional settings that modify the rule's action.
APIs.ioEngineeringPlatform
Properties
| Name | Type | Description |
|---|---|---|
| add_headers | object | Add custom headers to allowed requests, in the form of key-value pairs. Keys are header names, pointing to an array with its header value(s). |
| allow_child_bypass | boolean | Set by parent MSP accounts to enable their children to bypass this rule. |
| audit_ssh | object | Settings for the Audit SSH action. |
| biso_admin_controls | object | Configure how browser isolation behaves. |
| block_page_enabled | boolean | Enable the custom block page. |
| block_reason | string | The text describing why this block occurred, displayed on the custom block page (if enabled). |
| bypass_parent_rule | boolean | Set by children MSP accounts to bypass their parent's rules. |
| check_session | object | Configure how session check behaves. |
| dns_resolvers | object | Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when resolve_dns_through_cloudflare is set. DNS queries will route to the address closest to their origin. |
| egress | object | Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. |
| ignore_cname_category_matches | boolean | Set to true, to ignore the category matches at CNAME domains in a response. If unchecked, the categories in this rule will be checked against all the CNAME domain categories in a response. |
| insecure_disable_dnssec_validation | boolean | INSECURE - disable DNSSEC validation (for Allow actions). |
| ip_categories | boolean | Set to true to enable IPs in DNS resolver category blocks. By default categories only block based on domain names. |
| ip_indicator_feeds | boolean | Set to true to include IPs in DNS resolver indicator feed blocks. By default indicator feeds only block based on domain names. |
| l4override | object | Send matching traffic to the supplied destination IP address and port. |
| notification_settings | object | Configure a notification to display on the user's device when this rule is matched. |
| override_host | string | Override matching DNS queries with a hostname. |
| override_ips | array | Override matching DNS queries with an IP or set of IPs. |
| payload_log | object | Configure DLP payload logging. |
| resolve_dns_through_cloudflare | boolean | Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when dns_resolvers are specified. Only valid when a rule's action is set to 'resolve'. |
| untrusted_cert | object | Configure behavior when an upstream cert is invalid or an SSL error occurs. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/zero-trust-gateway_rule-settings",
"title": "zero-trust-gateway_rule-settings",
"description": "Additional settings that modify the rule's action.",
"properties": {
"add_headers": {
"additionalProperties": {
"type": "string"
},
"description": "Add custom headers to allowed requests, in the form of key-value pairs. Keys are header names, pointing to an array with its header value(s).",
"example": {
"My-Next-Header": [
"foo",
"bar"
],
"X-Custom-Header-Name": [
"somecustomvalue"
]
},
"type": "object"
},
"allow_child_bypass": {
"description": "Set by parent MSP accounts to enable their children to bypass this rule.",
"example": false,
"type": "boolean"
},
"audit_ssh": {
"description": "Settings for the Audit SSH action.",
"properties": {
"command_logging": {
"description": "Enable to turn on SSH command logging.",
"example": false,
"type": "boolean"
}
},
"type": "object"
},
"biso_admin_controls": {
"description": "Configure how browser isolation behaves.",
"properties": {
"dcp": {
"description": "Set to false to enable copy-pasting.",
"example": false,
"type": "boolean"
},
"dd": {
"description": "Set to false to enable downloading.",
"example": false,
"type": "boolean"
},
"dk": {
"description": "Set to false to enable keyboard usage.",
"example": false,
"type": "boolean"
},
"dp": {
"description": "Set to false to enable printing.",
"example": false,
"type": "boolean"
},
"du": {
"description": "Set to false to enable uploading.",
"example": false,
"type": "boolean"
}
},
"type": "object"
},
"block_page_enabled": {
"description": "Enable the custom block page.",
"example": true,
"type": "boolean"
},
"block_reason": {
"description": "The text describing why this block occurred, displayed on the custom block page (if enabled).",
"example": "This website is a security risk",
"type": "string"
},
"bypass_parent_rule": {
"description": "Set by children MSP accounts to bypass their parent's rules.",
"example": false,
"type": "boolean"
},
"check_session": {
"description": "Configure how session check behaves.",
"properties": {
"duration": {
"description": "Configure how fresh the session needs to be to be considered valid.",
"example": "300s",
"type": "string"
},
"enforce": {
"description": "Set to true to enable session enforcement.",
"example": true,
"type": "boolean"
}
},
"type": "object"
},
"dns_resolvers": {
"description": "Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when resolve_dns_through_cloudflare is set. DNS queries will route to the address closest to their origin. Only valid when a rule's action is set to 'resolve'.",
"properties": {
"ipv4": {
"items": {
"$ref": "#/components/schemas/zero-trust-gateway_dns_resolver_settings_v4"
},
"type": "array"
},
"ipv6": {
"items": {
"$ref": "#/components/schemas/zero-trust-gateway_dns_resolver_settings_v6"
},
"type": "array"
}
},
"type": "object"
},
"egress": {
"description": "Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs.",
"properties": {
"ipv4": {
"description": "The IPv4 address to be used for egress.",
"example": "192.0.2.2",
"type": "string"
},
"ipv4_fallback": {
"description": "The fallback IPv4 address to be used for egress in the event of an error egressing with the primary IPv4. Can be '0.0.0.0' to indicate local egress via WARP IPs.",
"example": "192.0.2.3",
"type": "string"
},
"ipv6": {
"description": "The IPv6 range to be used for egress.",
"example": "2001:DB8::/64",
"type": "string"
}
},
"type": "object"
},
"ignore_cname_category_matches": {
"description": "Set to true, to ignore the category matches at CNAME domains in a response. If unchecked, the categories in this rule will be checked against all the CNAME domain categories in a response.",
"example": true,
"type": "boolean"
},
"insecure_disable_dnssec_validation": {
"description": "INSECURE - disable DNSSEC validation (for Allow actions).",
"example": false,
"type": "boolean"
},
"ip_categories": {
"description": "Set to true to enable IPs in DNS resolver category blocks. By default categories only block based on domain names.",
"example": true,
"type": "boolean"
},
"ip_indicator_feeds": {
"description": "Set to true to include IPs in DNS resolver indicator feed blocks. By default indicator feeds only block based on domain names.",
"example": true,
"type": "boolean"
},
"l4override": {
"description": "Send matching traffic to the supplied destination IP address and port.",
"properties": {
"ip": {
"description": "IPv4 or IPv6 address.",
"example": "1.1.1.1",
"type": "string"
},
"port": {
"description": "A port number to use for TCP/UDP overrides.",
"type": "integer"
}
},
"type": "object"
},
"notification_settings": {
"description": "Configure a notification to display on the user's device when this rule is matched.",
"properties": {
"enabled": {
"description": "Set notification on",
"type": "boolean"
},
"msg": {
"description": "Customize the message shown in the notification.",
"type": "string"
},
"support_url": {
"description": "Optional URL to direct users to additional information. If not set, the notification will open a block page.",
"type": "string"
}
},
"type": "object"
},
"override_host": {
"description": "Override matching DNS queries with a hostname.",
"example": "example.com",
"type": "string"
},
"override_ips": {
"description": "Override matching DNS queries with an IP or set of IPs.",
"example": [
"1.1.1.1",
"2.2.2.2"
],
"items": {
"description": "IPv4 or IPv6 address.",
"example": "1.1.1.1",
"type": "string"
},
"type": "array"
},
"payload_log": {
"description": "Configure DLP payload logging.",
"properties": {
"enabled": {
"description": "Set to true to enable DLP payload logging for this rule.",
"example": true,
"type": "boolean"
}
},
"type": "object"
},
"resolve_dns_through_cloudflare": {
"description": "Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when dns_resolvers are specified. Only valid when a rule's action is set to 'resolve'.",
"example": true,
"type": "boolean"
},
"untrusted_cert": {
"description": "Configure behavior when an upstream cert is invalid or an SSL error occurs.",
"properties": {
"action": {
"description": "The action performed when an untrusted certificate is seen. The default action is an error with HTTP code 526.",
"enum": [
"pass_through",
"block",
"error"
],
"example": "error",
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
}