Create FIrewall Policy - HTTPBased response 501

Hi All!

Im working with the Sophos XG 1700.1 API looking to create an HTTPBased Firewall policy.

I seem to be running into an issue when making the request. 
response from the request:
<?xml version="1.0" encoding="UTF-8"?>\n<Response APIVersion="1700.1">\n  <Login>\n    <status>Authentication Successful</status>\n  </Login>\n  <SecurityPolicy transactionid="">\n    <Status code="501">Configuration parameters validation failed.</Status>\n    <InvalidParams/>\n  </SecurityPolicy>\n</Response>\

request:
/webconsole/APIController?reqxml=<Request><Login><Username>admin</Username><Password>notpassword</Password></Login><Set operation="add"><SecurityPolicy><Name>HTTPBased Policy</Name><Position>top</Position><Description>HTTP Based Policy</Description><Status>Disable</Status><IPFamily>IPv4</IPFamily><PolicyType>HTTPBased</PolicyType><HTTPBasedPolicy><HostedAddress>10.0.0.10</HostedAddress><HTTPS>Disable</HTTPS><RedirectHTTP>Disable</RedirectHTTP><ListenPort>80</ListenPort><Domains><Domain>derp.com</Domain></Domains><AllowFrom><Address>Test Server</Address></AllowFrom><Exceptions><Exception><path>/</path><op>or</op><source>Any IPv4</source><skip_threats_filter_categories>protocol_violations</skip_threats_filter_categories><skip_threats_filter_categories>protocol_anomalies</skip_threats_filter_categories><skip_threats_filter_categories>request_limits</skip_threats_filter_categories><skipav>1</skipav><skipbadclients>1</skipbadclients><skipcookie>1</skipcookie><skipform>1</skipform><skipurl>1</skipurl></Exception></Exceptions><ProtocolSecurity /><CompressionSupport>Disable</CompressionSupport><RewriteHTML>Disable</RewriteHTML><RewriteCookies>Disable</RewriteCookies><PassHostHeader>Disable</PassHostHeader></HTTPBasedPolicy><IntrusionPrevention>None</IntrusionPrevention><TrafficShapingPolicy>None</TrafficShapingPolicy><SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat><MinimumSourceHBPermitted /><DestSecurityHeartbeat>Disable</DestSecurityHeartbeat><MinimumDestinationHBPermitted /></SecurityPolicy></Set></Request>

If anyone could help that would be awesome!

thanks,

Luke


  • Luke, 

    Were you able to get this to work? I recently started playing with the API and I have been able to successfully create firewall rules. If you want I can post the code here. 

  • In reply to Joe Plunkett:

    IPInfoSec

    Luke, 

    Were you able to get this to work? I recently started playing with the API and I have been able to successfully create firewall rules. If you want I can post the code here. 

     

    So I'm able to create firewall policies. The only issue I'm having is create a HTTPBased policy. In the API documentation you need to select a Policy type e.g User/Network/HTTPBased/NonHTTPBased/PublicNonHTTPPolicy. I can create all of these except for an HTTPBased. Just looking for minimum requirements or what I'm missing to make a valid request.

  • In reply to Luke Milby:

    Luke,

    I understand now. That is strange. Are you passing all these parameters into the browser or through a separate xml file? 

  • In reply to Joe Plunkett:

    IPInfoSec

    Luke,

    I understand now. That is strange. Are you passing all these parameters into the browser or through a separate xml file? 

     

     

    Using Python to make the request. I have Python build the URL that will be passed in the request. The URL contains all the XML and is what I posted in the request section.

  • In reply to Luke Milby:

    I would pass the XML as a separate file - If the XML request in the URL is too long it will fail out. Below is a function that I built in Python to do this - Give it a try with all the XML in a separate file:  Note to use this you only need to change the 'ip_address' variable and the 'xml_files' variable

     import requests
    
    xml_files = ['myFile1.xml', 'myFile2.xml']  # Add xml files here
    ip_address = '10.10.10.10'
    
    def api_call(api_ip, xml_doc):
        api_url = r'https://{}:4444/webconsole/APIController?'.format(api_ip)
        payload = {'reqxml' : (None, open(xml_doc, 'rb'))}
        r = requests.post(api_url, files=payload, verify=False)
        print(r.text)
    
    for file in xml_files:
        api_call(api_ip=ip_address, xml_doc=file)
  • In reply to Joe Plunkett:

    Thanks, Ill give this a shot and see how it goes.

  • In reply to Joe Plunkett:

    Sorry for the delay. I tested it with the file and I still seem to get 

    <?xml version="1.0" encoding="UTF-8"?>
    <Response APIVersion="1700.1">
    <Login>
    <status>Authentication Successful</status>
    </Login>
    <SecurityPolicy transactionid="">
    <Status code="501">Configuration parameters validation failed.</Status>
    <InvalidParams/>
    </SecurityPolicy>
    </Response>

    Am I missing anything or have anything set incorrectly?

     

    Thanks,

    Luke

  • In reply to Luke Milby:

    Luke, 

    It is hard to say if you missed something without seeing the full URL and XML being passed. Typically when I get that error message it means I have a typo somewhere. Considering it Authenticated correctly, your issue is after that in the XML and not with the URL or the Auth phase. 

  • In reply to Joe Plunkett:

    Yeah I think Im missing a few things. After doing what I could with the XML I started looking over the system logs. Think I found my issue in /log/apiparser.log. Seems I'm missing a few things.

    Thanks for the help!

    INFO : 24325 No need to create Tar file. Response file is /sdisk/APIXMLOutput/1528226409136.xmlINFO : 24325 Start Login Handler,Component : Login
    ERROR : 24325 Key:ISCrEntity is not found in RequestMap File for Login.
    INFO : 24325 Mapping file for Login component is /_conf/csc/IOMappingFiles//1700.1/Login/Login.xml
    ERROR : 24325 Flag setting for this opcode is 18.
    INFO : 24325 Opcode response: status:200
    INFO : 24325 Authentication Successful
    INFO : 24325 Start Set Handler,Component : SecurityPolicy
    ERROR : 24325 Key:ISCrEntity is not found in RequestMap File for SecurityPolicy.
    WARNING : 24325 Transaction id is missing of for the component : <SecurityPolicy>.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="tempsourceid", xmlelement="/SecurityPolicy/SourceNetworks/Network" cannot be found in request file.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="tempexceptionid", xmlelement="/SecurityPolicy/ExceptionNetworks/Network" cannot be found in request file.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="", xmlelement="/SecurityPolicy/HTTPBasedPolicy/Certificate" cannot be found in request file.
    ERROR : 24325 json object not found with key="tempsourceid" to handle logicaloperator.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="sourceid", xmlelement="/SecurityPolicy/SourceNetworks/Network" cannot be found in request file.
    ERROR : 24325 json object not found with key="tempexceptionid" to handle logicaloperator.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="exceptionid", xmlelement="/SecurityPolicy/ExceptionNetworks/Network" cannot be found in request file.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="frontend.certificate", xmlelement="/SecurityPolicy/HTTPBasedPolicy/Certificate" cannot be found in request file.
    ERROR : 24325 Flag setting for this opcode is 16.
    INFO : 24325 Opcode response: status:500
    INFO : 24325 End SET Handler, Status : Success, Component : SecurityPolicy, Transaction : NONE, Operation : add.
    INFO : 24325 Command:/scripts/apiparser_generate_tar.sh /sdisk/api-1528226409292181.txt /sdisk/API-1528226409292181 /sdisk/APIXMLOutput/1528226409136.xml /sdisk/API-1528226409292181.tar /sdisk/API-1528226409292181.log 0 status:3
    INFO : 24325 No need to create Tar file. Response file is /sdisk/APIXMLOutput/1528226409136.xml

  • In reply to Luke Milby:

    Luke, 

    Yeah it is hard to say without the XML to compare it to, but it looks like you didn't define a <Network> tag correctly. 

  • In reply to Joe Plunkett:

    Made changes to my request and added the missing elements. Still missing something as I'm still getting a 501 response. 

    From apiparse.log

    INFO : 27569 Start Login Handler,Component : Login
    ERROR : 27569 Key:ISCrEntity is not found in RequestMap File for Login.
    INFO : 27569 Mapping file for Login component is /_conf/csc/IOMappingFiles//1700.1/Login/Login.xml
    ERROR : 27569 Flag setting for this opcode is 18.
    INFO : 27569 Opcode response: status:200
    INFO : 27569 Authentication Successful
    INFO : 27569 Start Set Handler,Component : SecurityPolicy
    ERROR : 27569 Key:ISCrEntity is not found in RequestMap File for SecurityPolicy.
    ERROR : 27569 type != const in logicaloperator.So string comparision is done.
    ERROR : 27569 type != const in logicaloperator.So string comparision is done.
    ERROR : 27569 Flag setting for this opcode is 16.
    INFO : 27569 Opcode response: status:500
    INFO : 27569 End SET Handler, Status : Success, Component : SecurityPolicy, Transaction : , Operation : add.
    INFO : 27569 Command:/scripts/apiparser_generate_tar.sh /sdisk/api-1528393159508823.txt /sdisk/API-1528393159508823 /sdisk/APIXMLOutput/1528393159401.xml /sdisk/API-1528393159508823.tar /sdisk/API-1528393159508823.log 0 status:3

    Heres the XML Im passing 

    <SecurityPolicy transactionid=""><Name>HTTPBased Policy</Name><Position>top</Position><Description>HTTP Based Policy</Description><Status>Disable</Status><IPFamily>IPv4</IPFamily><PolicyType>HTTPBased</PolicyType><SourceNetworks><Network>Test Source</Network></SourceNetworks><ExceptionNetworks><Network>Test Source</Network></ExceptionNetworks><HTTPBasedPolicy><Certificate></Certificate><HostedAddress>Test Server</HostedAddress><HTTPS>Disable</HTTPS><RedirectHTTP>Disable</RedirectHTTP><ListenPort>80</ListenPort><Domains><Domain>derp.com</Domain></Domains><AllowFrom><Address>10.10.101.10</Address></AllowFrom><Exceptions><Exception><path>/</path><op>or</op><source>Any IPv4</source><skip_threats_filter_categories>protocol_violations</skip_threats_filter_categories><skip_threats_filter_categories>protocol_anomalies</skip_threats_filter_categories><skip_threats_filter_categories>request_limits</skip_threats_filter_categories><skipav>1</skipav><skipbadclients>1</skipbadclients><skipcookie>1</skipcookie><skipform>1</skipform><skipurl>1</skipurl></Exception></Exceptions><ProtocolSecurity /><CompressionSupport>Disable</CompressionSupport><RewriteHTML>Disable</RewriteHTML><RewriteCookies>Disable</RewriteCookies><PassHostHeader>Disable</PassHostHeader></HTTPBasedPolicy><IntrusionPrevention>None</IntrusionPrevention><TrafficShapingPolicy>None</TrafficShapingPolicy><SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat><MinimumSourceHBPermitted /><DestSecurityHeartbeat>Disable</DestSecurityHeartbeat><MinimumDestinationHBPermitted /></SecurityPolicy></Set></Request>

     

    Im not sure why its not including whats missing or wrong with the request in the response. 

    Let me know if you have any ideas or its miss configured. 

    Thanks!

  • In reply to Luke Milby:

    Luke, do you have a opening <Request> <Login> and <Set>  ?

  • In reply to Michael Dunn:

    Oh yes, sorry I forgot to added it in the post. 

  • In reply to Luke Milby:

    Luke, 

    Sorry I didn't respond sooner I must have missed that you posted. If you PM me the full XML file (obviously remove sensitive data) I will test it on my lab network and track down the issue for you. 

    What can help is adding numbers to the "transaction ID" section - that way when the section fails your can trace the transaction ID to the specific command that failed.