manage_firewall_policy
Create, update, delete, or reorder firewall policies to control traffic between zones. Policy order determines the first match; verify order after changes.
Instructions
Create, update, delete, or reorder firewall policies. Policies define traffic rules between zone pairs. CREATE requires: enabled, name, action, source (with zoneId), destination (with zoneId), ipProtocolScope, loggingEnabled. REORDER: pass data as { policyIds: ['id1', 'id2', ...] } to set evaluation order. CRITICAL: Policy order matters — first match wins. Always verify order after changes.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| action | Yes | Operation to perform | |
| policyId | No | Policy ID (required for update/delete) | |
| enabled | No | ||
| name | No | Policy name. Convention: '{action}-{src}-to-{dst}', e.g. 'allow-trusted-to-iot', 'block-guest-to-private' | |
| description | No | Human-readable description of what this policy does and why | |
| policyAction | No | What to do with matched traffic | |
| source | No | Where traffic originates | |
| destination | No | Where traffic is going | |
| ipProtocolScope | No | IP protocol version to match. Default: IPV4_AND_IPV6 | |
| loggingEnabled | No | Enable syslog for matched traffic — recommended for deny rules | |
| policyIds | No | Ordered list of policy IDs for reorder action |