:doc:`Route53GlobalResolver <../../route53globalresolver>` / Client / create_firewall_rule

********************
create_firewall_rule
********************



.. py:method:: Route53GlobalResolver.Client.create_firewall_rule(**kwargs)

  

  Creates a DNS firewall rule. Firewall rules define actions (ALLOW, BLOCK, or ALERT) to take on DNS queries that match specified domain lists, managed domain lists, or advanced threat protections.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/route53globalresolver-2022-09-27/CreateFirewallRule>`_  


  **Request Syntax**
  ::

    response = client.create_firewall_rule(
        action='ALLOW'|'ALERT'|'BLOCK',
        blockOverrideDnsType='CNAME',
        blockOverrideDomain='string',
        blockOverrideTtl=123,
        blockResponse='NODATA'|'NXDOMAIN'|'OVERRIDE',
        clientToken='string',
        confidenceThreshold='LOW'|'MEDIUM'|'HIGH',
        description='string',
        dnsAdvancedProtection='DGA'|'DNS_TUNNELING',
        firewallDomainListId='string',
        name='string',
        priority=123,
        dnsViewId='string',
        qType='string'
    )
    
  :type action: string
  :param action: **[REQUIRED]** 

    The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:

     

    
    * ``ALLOW`` - Permit the request to go through.
     
    * ``ALERT`` - Permit the request and send metrics and logs to CloudWatch.
     
    * ``BLOCK`` - Disallow the request. This option requires additional details in the rule's ``BlockResponse``.
    

    

  
  :type blockOverrideDnsType: string
  :param blockOverrideDnsType: 

    The DNS record's type. This determines the format of the record value that you provided in ``BlockOverrideDomain``. Used for the rule action ``BLOCK`` with a ``BlockResponse`` setting of ``OVERRIDE``.

     

    This setting is required if the ``BlockResponse`` setting is ``OVERRIDE``.

    

  
  :type blockOverrideDomain: string
  :param blockOverrideDomain: 

    The custom DNS record to send back in response to the query. Used for the rule action ``BLOCK`` with a ``BlockResponse`` setting of ``OVERRIDE``.

     

    This setting is required if the ``BlockResponse`` setting is ``OVERRIDE``.

    

  
  :type blockOverrideTtl: integer
  :param blockOverrideTtl: 

    The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action ``BLOCK`` with a ``BlockResponse`` setting of ``OVERRIDE``.

     

    This setting is required if the ``BlockResponse`` setting is ``OVERRIDE``.

    

  
  :type blockResponse: string
  :param blockResponse: 

    The response to return when the action is BLOCK. Valid values are NXDOMAIN (domain does not exist), NODATA (domain exists but no records), or OVERRIDE (return custom response).

    

  
  :type clientToken: string
  :param clientToken: 

    A unique, case-sensitive identifier to ensure idempotency. This means that making the same request multiple times with the same ``clientToken`` has the same result every time.

    This field is autopopulated if not provided.

  
  :type confidenceThreshold: string
  :param confidenceThreshold: 

    The confidence threshold for advanced threat detection. Valid values are HIGH, MEDIUM, or LOW, indicating the accuracy level required for threat detection.

    

  
  :type description: string
  :param description: 

    An optional description for the firewall rule.

    

  
  :type dnsAdvancedProtection: string
  :param dnsAdvancedProtection: 

    Whether to enable advanced DNS threat protection for this rule. Advanced protection can detect and block DNS tunneling and Domain Generation Algorithm (DGA) threats.

    

  
  :type firewallDomainListId: string
  :param firewallDomainListId: 

    The ID of the firewall domain list to use in this rule.

    

  
  :type name: string
  :param name: **[REQUIRED]** 

    A descriptive name for the firewall rule.

    

  
  :type priority: integer
  :param priority: 

    The priority of this rule. Rules are evaluated in priority order, with lower numbers having higher priority. When a DNS query matches multiple rules, the rule with the highest priority (lowest number) is applied.

    

  
  :type dnsViewId: string
  :param dnsViewId: **[REQUIRED]** 

    The ID of the DNS view to associate with this firewall rule.

    

  
  :type qType: string
  :param qType: 

    The DNS query type to match for this rule. Examples include A (IPv4 address), AAAA (IPv6 address), MX (mail exchange), or TXT (text record).

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'action': 'ALLOW'|'ALERT'|'BLOCK',
          'blockOverrideDnsType': 'CNAME',
          'blockOverrideDomain': 'string',
          'blockOverrideTtl': 123,
          'blockResponse': 'NODATA'|'NXDOMAIN'|'OVERRIDE',
          'confidenceThreshold': 'LOW'|'MEDIUM'|'HIGH',
          'createdAt': datetime(2015, 1, 1),
          'description': 'string',
          'dnsAdvancedProtection': 'DGA'|'DNS_TUNNELING',
          'firewallDomainListId': 'string',
          'id': 'string',
          'name': 'string',
          'priority': 123,
          'dnsViewId': 'string',
          'queryType': 'string',
          'status': 'CREATING'|'OPERATIONAL'|'UPDATING'|'DELETING',
          'updatedAt': datetime(2015, 1, 1)
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **action** *(string) --* 

        The action that DNS Firewall takes on DNS queries that match this rule.

        
      

      - **blockOverrideDnsType** *(string) --* 

        The DNS record type for the custom response when blockResponse is OVERRIDE.

        
      

      - **blockOverrideDomain** *(string) --* 

        The custom domain to return when the action is BLOCK and blockResponse is OVERRIDE.

        
      

      - **blockOverrideTtl** *(integer) --* 

        The time-to-live (TTL) value for the custom response when blockResponse is OVERRIDE.

        
      

      - **blockResponse** *(string) --* 

        The response to return when the action is BLOCK.

        
      

      - **confidenceThreshold** *(string) --* 

        The confidence threshold for advanced threat detection.

        
      

      - **createdAt** *(datetime) --* 

        The date and time when the firewall rule was created.

        
      

      - **description** *(string) --* 

        The description of the firewall rule.

        
      

      - **dnsAdvancedProtection** *(string) --* 

        Whether advanced DNS threat protection is enabled for this rule.

        
      

      - **firewallDomainListId** *(string) --* 

        The ID of the firewall domain list used in this rule.

        
      

      - **id** *(string) --* 

        The unique identifier for the firewall rule.

        
      

      - **name** *(string) --* 

        The name of the firewall rule.

        
      

      - **priority** *(integer) --* 

        The priority of the firewall rule.

        
      

      - **dnsViewId** *(string) --* 

        The ID of the DNS view associated with this firewall rule.

        
      

      - **queryType** *(string) --* 

        The DNS query type that this rule matches.

        
      

      - **status** *(string) --* 

        The operational status of the firewall rule.

        
      

      - **updatedAt** *(datetime) --* 

        The date and time when the firewall rule was last updated.

        
  
  **Exceptions**
  
  *   :py:class:`Route53GlobalResolver.Client.exceptions.InternalServerException`

  
  *   :py:class:`Route53GlobalResolver.Client.exceptions.ValidationException`

  
  *   :py:class:`Route53GlobalResolver.Client.exceptions.ConflictException`

  
  *   :py:class:`Route53GlobalResolver.Client.exceptions.ServiceQuotaExceededException`

  
  *   :py:class:`Route53GlobalResolver.Client.exceptions.AccessDeniedException`

  
  *   :py:class:`Route53GlobalResolver.Client.exceptions.ThrottlingException`

  
  *   :py:class:`Route53GlobalResolver.Client.exceptions.ResourceNotFoundException`

  