POST /accounts/{account_id}/gateway/rules

Name	Type	Required	Description
`account_id`	String	Yes

Name	Type	Required	Description
`Content-Type`	String	Yes	The media type of the request body. Default value: "application/json"

Name	Type	Required	Description
`filters[]`	Array	No	Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.
`traffic`	String	No	Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
`expiration`	Object	No	Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules.
`expiration.expired`	Boolean	No	Indicates whether the policy is expired.
`expiration.duration`	Integer	No	Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule.
`expiration.expires_at`	String	Yes	Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.
`name`	String	Yes	Specify the rule name.
`action`	String	Yes	Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. Valid values: `"noscan"` `"block"` `"scan"` `"allow"` `"off"` `"resolve"` `"quarantine"` `"redirect"` `"on"` `"isolate"` `"noisolate"` `"override"` `"l4_override"` `"egress"` `"safesearch"` `"ytrestricted"`
`description`	String	No	Specify the rule description.
`enabled`	Boolean	No	Specify whether the rule is enabled. Default value: false
`schedule`	Object	No	Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules.
`schedule.mon`	String	No	Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
`schedule.sun`	String	No	Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
`schedule.time_zone`	String	No	Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.
`schedule.fri`	String	No	Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
`schedule.thu`	String	No	Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
`schedule.tue`	String	No	Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
`schedule.sat`	String	No	Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
`schedule.wed`	String	No	Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
`identity`	String	No	Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
`precedence`	Integer	No	Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.
`device_posture`	String	No	Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
`rule_settings`	Object	No	Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.
`rule_settings.untrusted_cert`	Object	No	Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`.
`rule_settings.untrusted_cert.action`	String	No	Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. Valid values: `"block"` `"error"` `"pass_through"`
`rule_settings.block_page_enabled`	Boolean	No	Enable the custom block page. Settable only for `dns` rules with action `block`.
`rule_settings.insecure_disable_dnssec_validation`	Boolean	No	Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules.
`rule_settings.resolve_dns_internally`	Object	No	Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules.
`rule_settings.resolve_dns_internally.fallback`	String	No	Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. Valid values: `"public_dns"` `"none"`
`rule_settings.resolve_dns_internally.view_id`	String	No	Specify the internal DNS view identifier to pass to the internal DNS service.
`rule_settings.payload_log`	Object	No	Configure DLP payload logging. Settable only for `http` rules.
`rule_settings.payload_log.enabled`	Boolean	No	Enable DLP payload logging for this rule.
`rule_settings.resolve_dns_through_cloudflare`	Boolean	No	Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules.
`rule_settings.bypass_parent_rule`	Boolean	No	Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.
`rule_settings.egress`	Object	No	Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules.
`rule_settings.egress.ipv4_fallback`	String	No	Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.
`rule_settings.egress.ipv4`	String	No	Specify the IPv4 address to use for egress.
`rule_settings.egress.ipv6`	String	No	Specify the IPv6 range to use for egress.
`rule_settings.ignore_cname_category_matches`	Boolean	No	Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules.
`rule_settings.add_headers`	Object	No	Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`.
`rule_settings.add_headers.name`	String	No
`rule_settings.override_ips[]`	Array	No	Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`.
`rule_settings.audit_ssh`	Object	No	Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action.
`rule_settings.audit_ssh.command_logging`	Boolean	No	Enable SSH command logging.
`rule_settings.override_host`	String	No	Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`.
`rule_settings.block_page`	Object	No	Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`.
`rule_settings.block_page.target_uri`	String	Yes	Specify the URI to which the user is redirected.
`rule_settings.block_page.include_context`	Boolean	No	Specify whether to pass the context information as query parameters.
`rule_settings.dns_resolvers`	Object	No	Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules.
`rule_settings.dns_resolvers.ipv4[]`	Array	No
`rule_settings.dns_resolvers.ipv4[].vnet_id`	String	No	Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.
`rule_settings.dns_resolvers.ipv4[].port`	Integer	No	Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.
`rule_settings.dns_resolvers.ipv4[].ip`	String	Yes	Specify the IPv4 address of the upstream resolver.
`rule_settings.dns_resolvers.ipv4[].route_through_private_network`	Boolean	No	Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.
`rule_settings.dns_resolvers.ipv6[]`	Array	No
`rule_settings.dns_resolvers.ipv6[].vnet_id`	String	No	Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.
`rule_settings.dns_resolvers.ipv6[].port`	Integer	No	Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.
`rule_settings.dns_resolvers.ipv6[].ip`	String	Yes	Specify the IPv6 address of the upstream resolver.
`rule_settings.dns_resolvers.ipv6[].route_through_private_network`	Boolean	No	Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.
`rule_settings.notification_settings`	Object	No	Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`.
`rule_settings.notification_settings.msg`	String	No	Customize the message shown in the notification.
`rule_settings.notification_settings.include_context`	Boolean	No	Indicates whether to pass the context information as query parameters.
`rule_settings.notification_settings.support_url`	String	No	Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.
`rule_settings.notification_settings.enabled`	Boolean	No	Enable notification.
`rule_settings.check_session`	Object	No	Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`.
`rule_settings.check_session.enforce`	Boolean	No	Enable session enforcement.
`rule_settings.check_session.duration`	String	No	Sets the required session freshness threshold. The API returns a normalized version of this value.
`rule_settings.biso_admin_controls`	Object	No	Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`.
`rule_settings.biso_admin_controls.paste`	String	No	Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". Valid values: `"disabled"` `"remote_only"` `"enabled"`
`rule_settings.biso_admin_controls.dp`	Boolean	No	Set to false to enable printing. Only applies when `version == "v1"`.
`rule_settings.biso_admin_controls.printing`	String	No	Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". Valid values: `"disabled"` `"enabled"`
`rule_settings.biso_admin_controls.upload`	String	No	Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". Valid values: `"disabled"` `"enabled"`
`rule_settings.biso_admin_controls.copy`	String	No	Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". Valid values: `"disabled"` `"remote_only"` `"enabled"`
`rule_settings.biso_admin_controls.dd`	Boolean	No	Set to false to enable downloading. Only applies when `version == "v1"`.
`rule_settings.biso_admin_controls.du`	Boolean	No	Set to false to enable uploading. Only applies when `version == "v1"`.
`rule_settings.biso_admin_controls.dcp`	Boolean	No	Set to false to enable copy-pasting. Only applies when `version == "v1"`.
`rule_settings.biso_admin_controls.download`	String	No	Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". Valid values: `"disabled"` `"remote_only"` `"enabled"`
`rule_settings.biso_admin_controls.version`	String	No	Indicate which version of the browser isolation controls should apply. Valid values: `"v1"` `"v2"` Default value: "v1"
`rule_settings.biso_admin_controls.keyboard`	String	No	Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". Valid values: `"disabled"` `"enabled"`
`rule_settings.biso_admin_controls.dk`	Boolean	No	Set to false to enable keyboard usage. Only applies when `version == "v1"`.
`rule_settings.redirect`	Object	No	Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`.
`rule_settings.redirect.target_uri`	String	Yes	Specify the URI to which the user is redirected.
`rule_settings.redirect.include_context`	Boolean	No	Specify whether to pass the context information as query parameters.
`rule_settings.redirect.preserve_path_and_query`	Boolean	No	Specify whether to append the path and query parameters from the original request to target_uri.
`rule_settings.l4override`	Object	No	Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`.
`rule_settings.l4override.port`	Integer	No	Defines a port number to use for TCP/UDP overrides.
`rule_settings.l4override.ip`	String	No	Defines the IPv4 or IPv6 address.
`rule_settings.ip_categories`	Boolean	No	Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules.
`rule_settings.block_reason`	String	No	Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`.
`rule_settings.quarantine`	Object	No	Configure settings that apply to quarantine rules. Settable only for `http` rules.
`rule_settings.quarantine.file_types[]`	Array	No	Specify the types of files to sandbox.
`rule_settings.allow_child_bypass`	Boolean	No	Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.
`rule_settings.ip_indicator_feeds`	Boolean	No	Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules.

Name

Type

Required

Description

filters[]

Array

No

Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

traffic

String

No

Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

expiration

Object

No

Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.

expiration.expired

Boolean

No

Indicates whether the policy is expired.

expiration.duration

Integer

No

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

expiration.expires_at

String

Yes

Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.

name

String

Yes

Specify the rule name.

action

String

Yes

Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

Valid values:

"noscan"
"block"
"scan"
"allow"
"off"
"resolve"
"quarantine"
"redirect"
"on"
"isolate"
"noisolate"
"override"
"l4_override"
"egress"
"safesearch"
"ytrestricted"

description

String

No

Specify the rule description.

enabled

Boolean

No

Specify whether the rule is enabled.

Default value: false

schedule

Object

No

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

schedule.mon

String

No

Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

schedule.sun

String

No

Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

schedule.time_zone

String

No

Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.

schedule.fri

String

No

Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

schedule.thu

String

No

Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

schedule.tue

String

No

Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

schedule.sat

String

No

Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

schedule.wed

String

No

Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

identity

String

No

Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

precedence

Integer

No

Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.

device_posture

String

No

Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

rule_settings

Object

No

Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

rule_settings.untrusted_cert

Object

No

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

rule_settings.untrusted_cert.action

String

No

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

Valid values:

"block"
"error"
"pass_through"

rule_settings.block_page_enabled

Boolean

No

Enable the custom block page. Settable only for dns rules with action block.

rule_settings.insecure_disable_dnssec_validation

Boolean

No

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

rule_settings.resolve_dns_internally

Object

No

Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

rule_settings.resolve_dns_internally.fallback

String

No

Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.

Valid values:

"public_dns"
"none"

rule_settings.resolve_dns_internally.view_id

String

No

Specify the internal DNS view identifier to pass to the internal DNS service.

rule_settings.payload_log

Object

No

Configure DLP payload logging. Settable only for http rules.

rule_settings.payload_log.enabled

Boolean

No

Enable DLP payload logging for this rule.

rule_settings.resolve_dns_through_cloudflare

Boolean

No

Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

rule_settings.bypass_parent_rule

Boolean

No

Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.

rule_settings.egress

Object

No

Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.

rule_settings.egress.ipv4_fallback

String

No

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.

rule_settings.egress.ipv4

String

No

Specify the IPv4 address to use for egress.

rule_settings.egress.ipv6

String

No

Specify the IPv6 range to use for egress.

rule_settings.ignore_cname_category_matches

Boolean

No

Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for dns and dns_resolver rules.

rule_settings.add_headers

Object

No

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

rule_settings.add_headers.name

String

No

rule_settings.override_ips[]

Array

No

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

rule_settings.audit_ssh

Object

No

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

rule_settings.audit_ssh.command_logging

Boolean

No

Enable SSH command logging.

rule_settings.override_host

String

No

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

rule_settings.block_page

Object

No

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

rule_settings.block_page.target_uri

String

Yes

Specify the URI to which the user is redirected.

rule_settings.block_page.include_context

Boolean

No

Specify whether to pass the context information as query parameters.

rule_settings.dns_resolvers

Object

No

Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

rule_settings.dns_resolvers.ipv4[]

Array

No

rule_settings.dns_resolvers.ipv4[].vnet_id

String

No

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

rule_settings.dns_resolvers.ipv4[].port

Integer

No

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

rule_settings.dns_resolvers.ipv4[].ip

String

Yes

Specify the IPv4 address of the upstream resolver.

rule_settings.dns_resolvers.ipv4[].route_through_private_network

Boolean

No

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

rule_settings.dns_resolvers.ipv6[]

Array

No

rule_settings.dns_resolvers.ipv6[].vnet_id

String

No

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

rule_settings.dns_resolvers.ipv6[].port

Integer

No

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

rule_settings.dns_resolvers.ipv6[].ip

String

Yes

Specify the IPv6 address of the upstream resolver.

rule_settings.dns_resolvers.ipv6[].route_through_private_network

Boolean

No

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

rule_settings.notification_settings

Object

No

Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to block.

rule_settings.notification_settings.msg

String

No

Customize the message shown in the notification.

rule_settings.notification_settings.include_context

Boolean

No

Indicates whether to pass the context information as query parameters.

rule_settings.notification_settings.support_url

String

No

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

rule_settings.notification_settings.enabled

Boolean

No

Enable notification.

rule_settings.check_session

Object

No

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

rule_settings.check_session.enforce

Boolean

No

Enable session enforcement.

rule_settings.check_session.duration

String

No

Sets the required session freshness threshold. The API returns a normalized version of this value.

rule_settings.biso_admin_controls

Object

No

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

rule_settings.biso_admin_controls.paste

String

No

Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".

Valid values:

"disabled"
"remote_only"
"enabled"

rule_settings.biso_admin_controls.dp

Boolean

No

Set to false to enable printing. Only applies when version == "v1".

rule_settings.biso_admin_controls.printing

String

No

Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".

Valid values:

"disabled"
"enabled"

rule_settings.biso_admin_controls.upload

String

No

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".

Valid values:

"disabled"
"enabled"

rule_settings.biso_admin_controls.copy

String

No

Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".

Valid values:

"disabled"
"remote_only"
"enabled"

rule_settings.biso_admin_controls.dd

Boolean

No

Set to false to enable downloading. Only applies when version == "v1".

rule_settings.biso_admin_controls.du

Boolean

No

Set to false to enable uploading. Only applies when version == "v1".

rule_settings.biso_admin_controls.dcp

Boolean

No

Set to false to enable copy-pasting. Only applies when version == "v1".

rule_settings.biso_admin_controls.download

String

No

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2".

Valid values:

"disabled"
"remote_only"
"enabled"

rule_settings.biso_admin_controls.version

String

No

Indicate which version of the browser isolation controls should apply.

Valid values:

"v1"
"v2"

Default value: "v1"

rule_settings.biso_admin_controls.keyboard

String

No

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".

Valid values:

"disabled"
"enabled"

rule_settings.biso_admin_controls.dk

Boolean

No

Set to false to enable keyboard usage. Only applies when version == "v1".

rule_settings.redirect

Object

No

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

rule_settings.redirect.target_uri

String

Yes

Specify the URI to which the user is redirected.

rule_settings.redirect.include_context

Boolean

No

Specify whether to pass the context information as query parameters.

rule_settings.redirect.preserve_path_and_query

Boolean

No

Specify whether to append the path and query parameters from the original request to target_uri.

rule_settings.l4override

Object

No

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

rule_settings.l4override.port

Integer

No

Defines a port number to use for TCP/UDP overrides.

rule_settings.l4override.ip

String

No

Defines the IPv4 or IPv6 address.

rule_settings.ip_categories

Boolean

No

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

rule_settings.block_reason

String

No

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

rule_settings.quarantine

Object

No

Configure settings that apply to quarantine rules. Settable only for http rules.

rule_settings.quarantine.file_types[]

Array

No

Specify the types of files to sandbox.

rule_settings.allow_child_bypass

Boolean

No

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

rule_settings.ip_indicator_feeds

Boolean

No

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

Servers

Path parameters

Request headers

Request body fields

How to start integrating