Sample Neutron FWaaS Policy File¶
The following is a sample neutron-fwaas policy file for adaptation and use.
The sample policy can also be viewed in file form.
Important
The sample policy file is auto-generated from neutron-fwaas when this documentation is built. You must ensure your version of neutron-fwaas matches the version of this documentation.
# Definition of shared firewall groups
#"shared_firewall_groups": "field:firewall_groups:shared=True"
# Create a firewall group
# POST /fwaas/firewall_groups
# Intended scope(s): project
#"create_firewall_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "create_firewall_group":"rule:regular_user" has been deprecated
# since 2025.2 in favor of "create_firewall_group":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The FWaaS API now supports Secure RBAC default roles.
# Update a firewall group
# PUT /fwaas/firewall_groups/{id}
# Intended scope(s): project
#"update_firewall_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "update_firewall_group":"rule:admin_or_owner" has been deprecated
# since 2025.2 in favor of "update_firewall_group":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The FWaaS API now supports Secure RBAC default roles.
# Delete a firewall group
# DELETE /fwaas/firewall_groups/{id}
# Intended scope(s): project
#"delete_firewall_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "delete_firewall_group":"rule:admin_or_owner" has been deprecated
# since 2025.2 in favor of "delete_firewall_group":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The FWaaS API now supports Secure RBAC default roles.
# Create a shared firewall group
# POST /fwaas/firewall_groups
# Intended scope(s): project
#"create_firewall_group:shared": "rule:admin_only"
# DEPRECATED
# "create_firewall_group:shared":"rule:admin_only" has been deprecated
# since 2025.2 in favor of
# "create_firewall_group:shared":"rule:admin_only".
# The FWaaS API now supports Secure RBAC default roles.
# Update ``shared`` attribute of a firewall group
# PUT /fwaas/firewall_groups/{id}
# Intended scope(s): project
#"update_firewall_group:shared": "rule:admin_only"
# DEPRECATED
# "update_firewall_group:shared":"rule:admin_only" has been deprecated
# since 2025.2 in favor of
# "update_firewall_group:shared":"rule:admin_only".
# The FWaaS API now supports Secure RBAC default roles.
# Delete a shared firewall group
# DELETE /fwaas/firewall_groups/{id}
# Intended scope(s): project
#"delete_firewall_group:shared": "rule:admin_only"
# DEPRECATED
# "delete_firewall_group:shared":"rule:admin_only" has been deprecated
# since 2025.2 in favor of
# "delete_firewall_group:shared":"rule:admin_only".
# The FWaaS API now supports Secure RBAC default roles.
# Get firewall groups
# GET /fwaas/firewall_groups
# GET /fwaas/firewall_groups/{id}
# Intended scope(s): project
#"get_firewall_group": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_firewall_groups"
# DEPRECATED
# "get_firewall_group":"rule:admin_or_owner or
# rule:shared_firewall_groups" has been deprecated since 2025.2 in
# favor of "get_firewall_group":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared_firewall_groups".
# The FWaaS API now supports Secure RBAC default roles.
# Definition of shared firewall policies
#"shared_firewall_policies": "field:firewall_policies:shared=True"
# Create a firewall policy
# POST /fwaas/firewall_policies
# Intended scope(s): project
#"create_firewall_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "create_firewall_policy":"rule:regular_user" has been deprecated
# since 2025.2 in favor of "create_firewall_policy":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The FWaaS API now supports Secure RBAC default roles.
# Update a firewall policy
# PUT /fwaas/firewall_policies/{id}
# Intended scope(s): project
#"update_firewall_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "update_firewall_policy":"rule:admin_or_owner" has been deprecated
# since 2025.2 in favor of "update_firewall_policy":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The FWaaS API now supports Secure RBAC default roles.
# Delete a firewall policy
# DELETE /fwaas/firewall_policies/{id}
# Intended scope(s): project
#"delete_firewall_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "delete_firewall_policy":"rule:admin_or_owner" has been deprecated
# since 2025.2 in favor of "delete_firewall_policy":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The FWaaS API now supports Secure RBAC default roles.
# Create a shared firewall policy
# POST /fwaas/firewall_policies
# Intended scope(s): project
#"create_firewall_policy:shared": "rule:admin_only"
# DEPRECATED
# "create_firewall_policy:shared":"rule:admin_only" has been
# deprecated since 2025.2 in favor of
# "create_firewall_policy:shared":"rule:admin_only".
# The FWaaS API now supports Secure RBAC default roles.
# Update ``shared`` attribute of a firewall policy
# PUT /fwaas/firewall_policies/{id}
# Intended scope(s): project
#"update_firewall_policy:shared": "rule:admin_only"
# DEPRECATED
# "update_firewall_policy:shared":"rule:admin_only" has been
# deprecated since 2025.2 in favor of
# "update_firewall_policy:shared":"rule:admin_only".
# The FWaaS API now supports Secure RBAC default roles.
# Delete a shread firewall policy
# DELETE /fwaas/firewall_policies/{id}
# Intended scope(s): project
#"delete_firewall_policy:shared": "rule:admin_only"
# DEPRECATED
# "delete_firewall_policy:shared":"rule:admin_only" has been
# deprecated since 2025.2 in favor of
# "delete_firewall_policy:shared":"rule:admin_only".
# The FWaaS API now supports Secure RBAC default roles.
# Get firewall policies
# GET /fwaas/firewall_policies
# GET /fwaas/firewall_policies/{id}
# Intended scope(s): project
#"get_firewall_policy": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_firewall_policies"
# DEPRECATED
# "get_firewall_policy":"rule:admin_or_owner or
# rule:shared_firewall_policies" has been deprecated since 2025.2 in
# favor of "get_firewall_policy":"(rule:admin_only) or (role:reader
# and project_id:%(project_id)s) or rule:shared_firewall_policies".
# The FWaaS API now supports Secure RBAC default roles.
# Definition of shared firewall rules
#"shared_firewall_rules": "field:firewall_rules:shared=True"
# Create a firewall rule
# POST /fwaas/firewall_rules
# Intended scope(s): project
#"create_firewall_rule": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "create_firewall_rule":"rule:regular_user" has been deprecated since
# 2025.2 in favor of "create_firewall_rule":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The FWaaS API now supports Secure RBAC default roles.
# Update a firewall rule
# PUT /fwaas/firewall_rules/{id}
# Intended scope(s): project
#"update_firewall_rule": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "update_firewall_rule":"rule:admin_or_owner" has been deprecated
# since 2025.2 in favor of "update_firewall_rule":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The FWaaS API now supports Secure RBAC default roles.
# Delete a firewall rule
# DELETE /fwaas/firewall_rules/{id}
# Intended scope(s): project
#"delete_firewall_rule": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "delete_firewall_rule":"rule:admin_or_owner" has been deprecated
# since 2025.2 in favor of "delete_firewall_rule":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The FWaaS API now supports Secure RBAC default roles.
# Create a shared firewall rule
# POST /fwaas/firewall_rules
# Intended scope(s): project
#"create_firewall_rule:shared": "rule:admin_only"
# DEPRECATED
# "create_firewall_rule:shared":"rule:admin_only" has been deprecated
# since 2025.2 in favor of
# "create_firewall_rule:shared":"rule:admin_only".
# The FWaaS API now supports Secure RBAC default roles.
# Update ``shared`` attribute of a firewall rule
# PUT /fwaas/firewall_rules/{id}
# Intended scope(s): project
#"update_firewall_rule:shared": "rule:admin_only"
# DEPRECATED
# "update_firewall_rule:shared":"rule:admin_only" has been deprecated
# since 2025.2 in favor of
# "update_firewall_rule:shared":"rule:admin_only".
# The FWaaS API now supports Secure RBAC default roles.
# Delete a shread firewall rule
# DELETE /fwaas/firewall_rules/{id}
# Intended scope(s): project
#"delete_firewall_rule:shared": "rule:admin_only"
# DEPRECATED
# "delete_firewall_rule:shared":"rule:admin_only" has been deprecated
# since 2025.2 in favor of
# "delete_firewall_rule:shared":"rule:admin_only".
# The FWaaS API now supports Secure RBAC default roles.
# Get firewall rules
# GET /fwaas/firewall_rules
# GET /fwaas/firewall_rules/{id}
# Intended scope(s): project
#"get_firewall_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_firewall_rules"
# DEPRECATED
# "get_firewall_rule":"rule:admin_or_owner or
# rule:shared_firewall_rules" has been deprecated since 2025.2 in
# favor of "get_firewall_rule":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared_firewall_rules".
# The FWaaS API now supports Secure RBAC default roles.
# Insert rule into a firewall policy
# PUT /fwaas/firewall_policies/{id}/insert_rule
# Intended scope(s): project
#"insert_rule": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "insert_rule":"rule:admin_or_owner" has been deprecated since 2025.2
# in favor of "insert_rule":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The FWaaS API now supports Secure RBAC default roles.
# Remove rule from a firewall policy
# PUT /fwaas/firewall_policies/{id}/remove_rule
# Intended scope(s): project
#"remove_rule": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "remove_rule":"rule:admin_or_owner" has been deprecated since 2025.2
# in favor of "remove_rule":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The FWaaS API now supports Secure RBAC default roles.
