DescribeNatFirewallControlPolicy - Cloud Firewall - Alibaba Cloud Documentation Center

Queries the details of all access control policies for NAT firewalls.

Operation description

This operation queries access control policies for NAT firewalls. The results are paginated.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the response message. Valid values: zh (default): Chinese en: English	zh
NatGatewayId	string	Yes	The ID of the NAT Gateway that you want to query.	ngw-xxxxxx
CurrentPage	string	No	The number of the page to return for a paged query.	1
PageSize	string	No	The maximum number of entries to return on each page for a paged query. The default value is 10.	10
Source	string	No	The source address in the access control policy. Fuzzy query is supported. The value of this parameter varies based on the value of the SourceType parameter. If SourceType is set to `net`, the value of this parameter is a CIDR block. Example: 192.0.XX.XX/24. If SourceType is set to `group`, the value of this parameter is the name of a source address book. Example: db_group. If you leave this parameter empty, all source addresses are queried. If SourceType is set to `location`, the value of this parameter is a source region. Example: Beijing or beijing. You can use either Chinese or English to query the region. Note If you do not set this parameter, all types of source addresses are queried.	1.1.1.1/32
Destination	string	No	The destination address in the access control policy. Fuzzy query is supported. The value of this parameter varies based on the value of the DestinationType parameter. If DestinationType is set to `net`, the value of this parameter is a CIDR block. Example: 10.0.3.0/24. If DestinationType is set to `domain`, the value of this parameter is a domain name. Example: aliyun. If DestinationType is set to `group`, the value of this parameter is the name of an address book. Example: db_group. If DestinationType is set to `location`, the value of this parameter is a region name. For more information about region location codes, see AddControlPolicy. Example: ["BJ11", "ZB"]. Note If you do not set this parameter, all types of destination addresses are queried.	x.x.x.x/32
Description	string	No	The description of the access control policy. Fuzzy query is supported. Note If you do not set this parameter, the descriptions of all policies are queried.	描述信息
Proto	string	No	The protocol type of the traffic in the access control policy. Valid values: TCP UDP ICMP ANY (all protocol types) Note If you do not set this parameter, all protocol types are queried.	ANY
AclAction	string	No	The action that is performed on traffic that hits the access control policy. Valid values: accept: allow drop: deny log: monitor	accept
AclUuid	string	No	The unique ID of the access control policy.	323f0697-2a21-4e43-b142-*****
Release	string	No	The status of the access control policy. By default, an access control policy is enabled after it is created. Valid values: true: enable the access control policy false: disable the access control policy	true
Direction	string	Yes	The direction of the traffic that the access control policy controls. Valid values: out: outbound traffic	out
RepeatType	string	No	The recurrence type for the policy validity period. Valid values: Permanent (default): always None: a single time Daily: daily Weekly: weekly Monthly: monthly Valid values: Daily : Daily Monthly : Monthly Permanent : Always Weekly : Weekly None : A single time	Permanent

Response elements

Element	Type	Description	Example
	object
TotalCount	string	The total number of returned entries.	28
RequestId	string	The ID of the request.	F283567D-8A52-5BAE-9472-*****
Policys	array<object>	The information about the access control policies for the NAT firewall.
	object	The information about the access control policies for the NAT firewall.
Destination	string	The destination address in the access control policy. The value of this parameter varies based on the value of the DestinationType parameter. Valid values: If DestinationType is set to net, the value of this parameter is a CIDR block. Example: 192.0.XX.XX/24. If DestinationType is set to domain, the value of this parameter is a domain name. Example: aliyuncs.com. If DestinationType is set to group, the value of this parameter is the name of an address book. Example: db_group. If DestinationType is set to location, the value of this parameter is a region name. For more information about region location codes, see AddControlPolicy. Example: ["BJ11", "ZB"].	x.x.x.x/32
Order	integer	The priority of the access control policy. The priority starts from 1. A smaller value indicates a higher priority.	1
DestPortGroup	string	The name of the destination port address book for the traffic in the access control policy.	my_port_group
SourceType	string	The source address type in the access control policy. Valid values: net: source CIDR block group: source address book location: source region	net
DnsResultTime	integer	The timestamp of the DNS resolution. The value is a UNIX timestamp. Unit: seconds.	1579261141
DnsResult	string	The result of the DNS resolution.	111.0.XX.XX,112.0.XX.XX
ApplicationNameList	array	The application names. Multiple applications are supported.
	string	The application names. Multiple applications are supported.	['HTTP', 'HTTPS']
AclUuid	string	The unique ID of the access control policy.	01281255-d220-4db1-8f4f-c4df221a****
DestPortType	string	The destination port type for the traffic in the access control policy. Valid values: port: port group: port address book	port
Source	string	The source address in the access control policy. Valid values: If SourceType is set to `net`, the value of this parameter is a CIDR block. Example: 192.0.XX.XX/24. If SourceType is set to `group`, the value of this parameter is the name of a source address book. Example: db_group. If SourceType is set to `location`, the value of this parameter is a region. For more information about region location codes, see AddControlPolicy. Example: ["BJ11", "ZB"].	192.0.XX.XX/24
DestinationType	string	The destination address type in the access control policy. Valid values: net: destination CIDR block group: destination address book domain: destination domain name location: destination region	net
HitTimes	integer	The number of hits for the access control policy.	100
HitLastTime	integer	The timestamp of the last hit. The value is a UNIX timestamp. Unit: seconds.	1579261141
DestPort	string	The destination port for the traffic in the access control policy.	80
Description	string	The description of the access control policy.	描述信息
AclAction	string	The action that is performed on traffic that hits the access control policy. Valid values: accept: allow drop: deny log: monitor	accept
Proto	string	The protocol type of the traffic in the access control policy. Valid values: ANY TCP UDP ICMP	TCP
DestinationGroupCidrs	array	The list of CIDR blocks in the destination address book of the access control policy.
	string	The list of CIDR blocks in the destination address book of the access control policy.	[ "112.0.XX.XX/24", "112.0.XX.XX/32" ]
DestPortGroupPorts	array	The list of ports in the destination port address book.
	string	The list of ports in the destination port address book.	[80,443]
SourceGroupCidrs	array	The list of CIDR blocks in the source address book of the access control policy.
	string	The list of CIDR blocks in the source address book of the access control policy.	['192.0.XX.XX/24', '192.0.XX.XX/32']
Release	string	The status of the access control policy. By default, an access control policy is enabled after it is created. Valid values: true: enabled false: disabled	true
SourceGroupType	string	The type of the source address book in the access control policy. The value is fixed as ip. This indicates an IP address book that contains one or more CIDR blocks.	ip
DestinationGroupType	string	The type of the destination address book in the access control policy. Valid values: ip: an IP address book that contains one or more CIDR blocks. domain: a domain name address book that contains one or more domain names.	ip
NatGatewayId	string	The ID of the NAT Gateway that you want to query.	ngw-xxxxxx
DomainResolveType	integer	The domain name resolution method of the access control policy. Valid values: 0: FQDN-based 1: dynamic DNS resolution-based 2: FQDN- and dynamic DNS resolution-based	0
SpreadCnt	string	The number of policy specifications that are occupied. This is the cumulative value of specifications occupied by each policy. The number of specifications occupied by a single policy = Number of source CIDR blocks × Number of destination addresses (IP address CIDR blocks, regions, or domain names) × Number of applications × Number of port ranges.	10,000
CreateTime	integer	The time when the policy was created.	1761062400
ModifyTime	integer	The time when the policy was last modified.	1761062400
RepeatType	string	The recurrence type for the policy validity period. Valid values: Permanent (default): always None: a single time Daily: daily Weekly: weekly Monthly: monthly Valid values: Daily : Daily Monthly : Monthly Permanent : Always Weekly : Weekly None : A single time	Permanent
RepeatDays	array	The days of the week or month on which the policy recurs. If RepeatType is set to `Permanent`, `None`, or `Daily`, this parameter is an empty set. Example: [] If RepeatType is set to Weekly, this parameter cannot be empty. Example: [0, 6] Note If RepeatType is set to Weekly, the values in RepeatDays cannot be repeated. If RepeatType is set to `Monthly`, this parameter cannot be empty. Example: [1, 31] Note If RepeatType is set to Monthly, the values in RepeatDays cannot be repeated.
	integer	The day of the week or month on which the policy recurs. Note If RepeatType is set to Weekly, the valid values are 0 to 6. The week starts on Sunday. If RepeatType is set to Monthly, the valid values are 1 to 31.	1
RepeatStartTime	string	The start time of the recurrence. For example, 08:00. The time must be on the hour or half-hour, and at least 30 minutes earlier than the end time. Note If RepeatType is set to Permanent or None, this parameter is empty. If RepeatType is set to Daily, Weekly, or Monthly, you must set this parameter.	08:00
RepeatEndTime	string	The end time of the recurrence. For example, 23:30. The time must be on the hour or half-hour, and at least 30 minutes later than the start time. Note If RepeatType is set to Permanent or None, this parameter is empty. If RepeatType is set to Daily, Weekly, or Monthly, you must set this parameter.	23:30
StartTime	integer	The start time of the policy validity period. The value is a UNIX timestamp. The time must be on the hour or half-hour, and at least 30 minutes earlier than the end time. Note If RepeatType is set to Permanent, this parameter is empty. If RepeatType is set to None, Daily, Weekly, or Monthly, you must set this parameter.	1694761200
EndTime	integer	The end time of the policy validity period. The value is a UNIX timestamp. The time must be on the hour or half-hour, and at least 30 minutes later than the start time. Note If RepeatType is set to Permanent, this parameter is empty. If RepeatType is set to None, Daily, Weekly, or Monthly, you must set this parameter.	1694764800

Examples

Success response

JSON format

{
  "TotalCount": "28",
  "RequestId": "F283567D-8A52-5BAE-9472-*****",
  "Policys": [
    {
      "Destination": "x.x.x.x/32",
      "Order": 1,
      "DestPortGroup": "my_port_group",
      "SourceType": "net",
      "DnsResultTime": 1579261141,
      "DnsResult": "111.0.XX.XX,112.0.XX.XX",
      "ApplicationNameList": [
        "['HTTP', 'HTTPS']"
      ],
      "AclUuid": "01281255-d220-4db1-8f4f-c4df221a****",
      "DestPortType": "port",
      "Source": "192.0.XX.XX/24",
      "DestinationType": "net",
      "HitTimes": 100,
      "HitLastTime": 1579261141,
      "DestPort": "80",
      "Description": "描述信息",
      "AclAction": "accept",
      "Proto": "TCP",
      "DestinationGroupCidrs": [
        "[\n      \"112.0.XX.XX/24\",\n      \"112.0.XX.XX/32\"\n]"
      ],
      "DestPortGroupPorts": [
        "[80,443]"
      ],
      "SourceGroupCidrs": [
        "['192.0.XX.XX/24', '192.0.XX.XX/32']"
      ],
      "Release": "true",
      "SourceGroupType": "ip",
      "DestinationGroupType": "ip",
      "NatGatewayId": "ngw-xxxxxx",
      "DomainResolveType": 0,
      "SpreadCnt": "10,000",
      "CreateTime": 1761062400,
      "ModifyTime": 1761062400,
      "RepeatType": "Permanent",
      "RepeatDays": [
        1
      ],
      "RepeatStartTime": "08:00",
      "RepeatEndTime": "23:30",
      "StartTime": 1694761200,
      "EndTime": 1694764800
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorParametersUid	The aliUid parameter is invalid.	The aliUid parameter is invalid.
400	ErrorParametersPageSizeOrNo	Either pageSize or pageNo is invalid.	Either pageSize or pageNo is invalid.
400	ErrorParameterIpVersion	The IP version is invalid.	The IP version is invalid.
400	ErrorParametersDirection	The direction is invalid.	The direction is invalid.
400	ErrorDBSelect	An error occurred while querying database.	An error occurred while querying database.
400	ErrorUnmarshalJSON	An error occurred while parsing JSON.	An error occurred while decoding JSON.
400	ErrorParametersAppId	The AppId parameter is incorrect.	The AppId parameter is invalid.
400	ErrorParametersNatGatewayId	Invalid parameters NatGatewayId.	The request parameter NatGatewayId is invalid or does not exist.
400	ErrorUUIDNew	The UUID is invalid.	The UUID is invalid.
400	ErrorParametersSource	The source is invalid.	The source is invalid.
400	ErrorDomainResolve	An error occurred while resolving the domain.	An error occurred while resolving the domain.
400	ErrorParametersDestination	The Destination parameter is invalid.	The Destination parameter is invalid.
400	ErrorParametersProto	The protocol is invalid.	The protocol is invalid.
400	ErrorParametersDestPort	The dst_port is invalid.	The dst_port is invalid.
400	ErrorParametersAction	The action is invalid.	The action is invalid.
400	ErrorMarshalJSON	An error occurred while encoding JSON.	An error occurred while encoding JSON.
400	ErrorParametersAclUuid	Specified parameter AclUuid is not valid.	Specified parameter AclUuid is not valid.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.