Guides
FEEDBACKGet API Updates
  1. Use cases

Boundaries Management

This guide will highlight the steps involved in managing boundaries.

API endpoints in this page
  1. Create a new boundary.
  2. List boundaries.
  3. Get a boundary.
  4. Update a boundary.
  5. Delete a boundary.

What is a boundary?

A Boundary represents a logical grouping of devices based on network connections (such as SSIDs or IP addresses) or device properties (like name, MAC address, or type) within your organization's network infrastructure. Think of it as a way to organize and segment your network for better visibility and management.

Why Use Boundaries?

Organizing devices into Boundaries is essential for leveraging the full power of Armis for network segmentation and asset management. Each Boundary allows you to group devices based on network characteristics or properties, providing clear visibility into different segments of your network infrastructure.

Example

You're an organization with multiple network segments across your infrastructure, and you chose Armis to manage your asset inventory with proper network segmentation. A key aspect of getting the most out of Armis is organizing devices into boundaries, where each boundary reflects a logical network segment.

Let's say you want to create the following network boundaries:

  1. Corporate WiFi Network (SSID-based)
  2. Guest Network (SSID-based)
  3. IoT Devices Network (IP range-based)
  4. Production Servers (IP range-based)
  5. OT Equipment (Device type-based)

You would create five distinct Boundaries in Armis, one for each logical segment.

Step 1: Create a boundary

The only mandatory field that a boundary requires is a name. You can create a bare-bones boundary first and configure it later, or you can set it up fully during the initial creation step for maximum efficiency.

The full list of properties you can set when creating a boundary can be seen here.

Repeat this step to create multiple boundaries.

Prerequisites:

  1. Access token with scope PERMISSION.SETTINGS.BOUNDARY.MANAGE.EDIT.

Send the request

import json
import requests

body = {
    "name": "Corporate WiFi Network",
}
access_token = "your_access_token_here"
headers = {
    "Authorization": f"Bearer {access_token}",
}

response = requests.post(
    "https://api.armis.com/v3/settings/boundaries",
    json=body,
    headers=headers,
)

response.raise_for_status()
print(json.dumps(response.json(), indent=2))

{
  "id": 1,
  "name": "Corporate WiFi Network"
}

Detailed recipe

Step 2: Configure boundary rules

Once the boundaries are created, the next crucial step is to configure the rules that define which devices belong to each boundary. This is achieved by updating the boundary with specific criteria.

Boundaries can be configured in two ways:

  1. Site-based assignment: Associate the boundary with one or more site IDs using the site_ids field. All devices within those sites will automatically be assigned to this boundary.
  2. Rule-based assignment: Define device matching criteria using the asq_rule field (Armis Search Query). This allows you to create boundaries based on:
    • SSID-based: Devices connected to specific wireless networks
    • IP address-based: Devices with IP addresses in specific ranges
    • Device property-based: Devices matching specific properties (name, MAC address, type, etc.)

Setting these rules ensures that your device inventory is properly segmented according to your network architecture, providing the context necessary for effective management and security.

Prerequisites

  1. Access token with scope PERMISSION.SETTINGS.BOUNDARY.MANAGE.EDIT.

Send the request

import json
import requests

boundary_id = 1  # the id that we got when we created the boundary

# Option 1: Configure by site IDs
body = {
    "name": "Corporate WiFi Network",
    "site_ids": [1, 2, 3]  # Associate with specific site IDs
}

# Option 2: Configure by ASQ rule (device matching criteria)
# body = {
#     "name": "Corporate WiFi Network",
#     "asq_rule": "ssid:Corporate-WiFi"  # Match devices by SSID, IP range, or properties
# }

# Option 3: You can use both site_ids and asq_rule together
# body = {
#     "name": "Corporate WiFi Network",
#     "site_ids": [1, 2],
#     "asq_rule": "ssid:Corporate-WiFi"
# }

access_token = "your_access_token_here"
headers = {
    "Authorization": f"Bearer {access_token}",
}

response = requests.patch(
    f"https://api.armis.com/v3/settings/boundaries/{boundary_id}",
    json=body,
    headers=headers,
)

response.raise_for_status()
print(json.dumps(response.json(), indent=2))
{
  "id": 1,
  "name": "Corporate WiFi Network"
}
📘

If you know all of a boundary's details at the time of its creation, you can provide them during the creation process itself.

Detailed recipe

More recipes


Updated 9 days ago