Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Create FIrewall Policy - HTTPBased response 501

Hi All!

Im working with the Sophos XG 1700.1 API looking to create an HTTPBased Firewall policy.

I seem to be running into an issue when making the request. 
response from the request:
<?xml version="1.0" encoding="UTF-8"?>\n<Response APIVersion="1700.1">\n  <Login>\n    <status>Authentication Successful</status>\n  </Login>\n  <SecurityPolicy transactionid="">\n    <Status code="501">Configuration parameters validation failed.</Status>\n    <InvalidParams/>\n  </SecurityPolicy>\n</Response>\

request:
/webconsole/APIController?reqxml=<Request><Login><Username>admin</Username><Password>notpassword</Password></Login><Set operation="add"><SecurityPolicy><Name>HTTPBased Policy</Name><Position>top</Position><Description>HTTP Based Policy</Description><Status>Disable</Status><IPFamily>IPv4</IPFamily><PolicyType>HTTPBased</PolicyType><HTTPBasedPolicy><HostedAddress>10.0.0.10</HostedAddress><HTTPS>Disable</HTTPS><RedirectHTTP>Disable</RedirectHTTP><ListenPort>80</ListenPort><Domains><Domain>derp.com</Domain></Domains><AllowFrom><Address>Test Server</Address></AllowFrom><Exceptions><Exception><path>/</path><op>or</op><source>Any IPv4</source><skip_threats_filter_categories>protocol_violations</skip_threats_filter_categories><skip_threats_filter_categories>protocol_anomalies</skip_threats_filter_categories><skip_threats_filter_categories>request_limits</skip_threats_filter_categories><skipav>1</skipav><skipbadclients>1</skipbadclients><skipcookie>1</skipcookie><skipform>1</skipform><skipurl>1</skipurl></Exception></Exceptions><ProtocolSecurity /><CompressionSupport>Disable</CompressionSupport><RewriteHTML>Disable</RewriteHTML><RewriteCookies>Disable</RewriteCookies><PassHostHeader>Disable</PassHostHeader></HTTPBasedPolicy><IntrusionPrevention>None</IntrusionPrevention><TrafficShapingPolicy>None</TrafficShapingPolicy><SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat><MinimumSourceHBPermitted /><DestSecurityHeartbeat>Disable</DestSecurityHeartbeat><MinimumDestinationHBPermitted /></SecurityPolicy></Set></Request>

If anyone could help that would be awesome!

thanks,

Luke




This thread was automatically locked due to age.
Parents
  • Luke, 

    Were you able to get this to work? I recently started playing with the API and I have been able to successfully create firewall rules. If you want I can post the code here. 

  • Unknown said:

    Luke, 

    Were you able to get this to work? I recently started playing with the API and I have been able to successfully create firewall rules. If you want I can post the code here. 

     

    So I'm able to create firewall policies. The only issue I'm having is create a HTTPBased policy. In the API documentation you need to select a Policy type e.g User/Network/HTTPBased/NonHTTPBased/PublicNonHTTPPolicy. I can create all of these except for an HTTPBased. Just looking for minimum requirements or what I'm missing to make a valid request.

  • Luke,

    I understand now. That is strange. Are you passing all these parameters into the browser or through a separate xml file? 

  • Unknown said:

    Luke,

    I understand now. That is strange. Are you passing all these parameters into the browser or through a separate xml file? 

     

     

    Using Python to make the request. I have Python build the URL that will be passed in the request. The URL contains all the XML and is what I posted in the request section.

  • I would pass the XML as a separate file - If the XML request in the URL is too long it will fail out. Below is a function that I built in Python to do this - Give it a try with all the XML in a separate file:  Note to use this you only need to change the 'ip_address' variable and the 'xml_files' variable

     import requests
    
    xml_files = ['myFile1.xml', 'myFile2.xml']  # Add xml files here
    ip_address = '10.10.10.10'
    
    def api_call(api_ip, xml_doc):
        api_url = r'https://{}:4444/webconsole/APIController?'.format(api_ip)
        payload = {'reqxml' : (None, open(xml_doc, 'rb'))}
        r = requests.post(api_url, files=payload, verify=False)
        print(r.text)
    
    for file in xml_files:
        api_call(api_ip=ip_address, xml_doc=file)
  • Thanks, Ill give this a shot and see how it goes.

  • Sorry for the delay. I tested it with the file and I still seem to get 

    <?xml version="1.0" encoding="UTF-8"?>
    <Response APIVersion="1700.1">
    <Login>
    <status>Authentication Successful</status>
    </Login>
    <SecurityPolicy transactionid="">
    <Status code="501">Configuration parameters validation failed.</Status>
    <InvalidParams/>
    </SecurityPolicy>
    </Response>

    Am I missing anything or have anything set incorrectly?

     

    Thanks,

    Luke

  • Luke, 

    It is hard to say if you missed something without seeing the full URL and XML being passed. Typically when I get that error message it means I have a typo somewhere. Considering it Authenticated correctly, your issue is after that in the XML and not with the URL or the Auth phase. 

Reply
  • Luke, 

    It is hard to say if you missed something without seeing the full URL and XML being passed. Typically when I get that error message it means I have a typo somewhere. Considering it Authenticated correctly, your issue is after that in the XML and not with the URL or the Auth phase. 

Children
  • Yeah I think Im missing a few things. After doing what I could with the XML I started looking over the system logs. Think I found my issue in /log/apiparser.log. Seems I'm missing a few things.

    Thanks for the help!

    INFO : 24325 No need to create Tar file. Response file is /sdisk/APIXMLOutput/1528226409136.xmlINFO : 24325 Start Login Handler,Component : Login
    ERROR : 24325 Key:ISCrEntity is not found in RequestMap File for Login.
    INFO : 24325 Mapping file for Login component is /_conf/csc/IOMappingFiles//1700.1/Login/Login.xml
    ERROR : 24325 Flag setting for this opcode is 18.
    INFO : 24325 Opcode response: status:200
    INFO : 24325 Authentication Successful
    INFO : 24325 Start Set Handler,Component : SecurityPolicy
    ERROR : 24325 Key:ISCrEntity is not found in RequestMap File for SecurityPolicy.
    WARNING : 24325 Transaction id is missing of for the component : <SecurityPolicy>.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="tempsourceid", xmlelement="/SecurityPolicy/SourceNetworks/Network" cannot be found in request file.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="tempexceptionid", xmlelement="/SecurityPolicy/ExceptionNetworks/Network" cannot be found in request file.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="", xmlelement="/SecurityPolicy/HTTPBasedPolicy/Certificate" cannot be found in request file.
    ERROR : 24325 json object not found with key="tempsourceid" to handle logicaloperator.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="sourceid", xmlelement="/SecurityPolicy/SourceNetworks/Network" cannot be found in request file.
    ERROR : 24325 json object not found with key="tempexceptionid" to handle logicaloperator.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="exceptionid", xmlelement="/SecurityPolicy/ExceptionNetworks/Network" cannot be found in request file.
    ERROR : 24325 Parser Error: xmlvalue for jsonkey="frontend.certificate", xmlelement="/SecurityPolicy/HTTPBasedPolicy/Certificate" cannot be found in request file.
    ERROR : 24325 Flag setting for this opcode is 16.
    INFO : 24325 Opcode response: status:500
    INFO : 24325 End SET Handler, Status : Success, Component : SecurityPolicy, Transaction : NONE, Operation : add.
    INFO : 24325 Command:/scripts/apiparser_generate_tar.sh /sdisk/api-1528226409292181.txt /sdisk/API-1528226409292181 /sdisk/APIXMLOutput/1528226409136.xml /sdisk/API-1528226409292181.tar /sdisk/API-1528226409292181.log 0 status:3
    INFO : 24325 No need to create Tar file. Response file is /sdisk/APIXMLOutput/1528226409136.xml

  • Luke, 

    Yeah it is hard to say without the XML to compare it to, but it looks like you didn't define a <Network> tag correctly. 

  • Made changes to my request and added the missing elements. Still missing something as I'm still getting a 501 response. 

    From apiparse.log

    INFO : 27569 Start Login Handler,Component : Login
    ERROR : 27569 Key:ISCrEntity is not found in RequestMap File for Login.
    INFO : 27569 Mapping file for Login component is /_conf/csc/IOMappingFiles//1700.1/Login/Login.xml
    ERROR : 27569 Flag setting for this opcode is 18.
    INFO : 27569 Opcode response: status:200
    INFO : 27569 Authentication Successful
    INFO : 27569 Start Set Handler,Component : SecurityPolicy
    ERROR : 27569 Key:ISCrEntity is not found in RequestMap File for SecurityPolicy.
    ERROR : 27569 type != const in logicaloperator.So string comparision is done.
    ERROR : 27569 type != const in logicaloperator.So string comparision is done.
    ERROR : 27569 Flag setting for this opcode is 16.
    INFO : 27569 Opcode response: status:500
    INFO : 27569 End SET Handler, Status : Success, Component : SecurityPolicy, Transaction : , Operation : add.
    INFO : 27569 Command:/scripts/apiparser_generate_tar.sh /sdisk/api-1528393159508823.txt /sdisk/API-1528393159508823 /sdisk/APIXMLOutput/1528393159401.xml /sdisk/API-1528393159508823.tar /sdisk/API-1528393159508823.log 0 status:3

    Heres the XML Im passing 

    <SecurityPolicy transactionid=""><Name>HTTPBased Policy</Name><Position>top</Position><Description>HTTP Based Policy</Description><Status>Disable</Status><IPFamily>IPv4</IPFamily><PolicyType>HTTPBased</PolicyType><SourceNetworks><Network>Test Source</Network></SourceNetworks><ExceptionNetworks><Network>Test Source</Network></ExceptionNetworks><HTTPBasedPolicy><Certificate></Certificate><HostedAddress>Test Server</HostedAddress><HTTPS>Disable</HTTPS><RedirectHTTP>Disable</RedirectHTTP><ListenPort>80</ListenPort><Domains><Domain>derp.com</Domain></Domains><AllowFrom><Address>10.10.101.10</Address></AllowFrom><Exceptions><Exception><path>/</path><op>or</op><source>Any IPv4</source><skip_threats_filter_categories>protocol_violations</skip_threats_filter_categories><skip_threats_filter_categories>protocol_anomalies</skip_threats_filter_categories><skip_threats_filter_categories>request_limits</skip_threats_filter_categories><skipav>1</skipav><skipbadclients>1</skipbadclients><skipcookie>1</skipcookie><skipform>1</skipform><skipurl>1</skipurl></Exception></Exceptions><ProtocolSecurity /><CompressionSupport>Disable</CompressionSupport><RewriteHTML>Disable</RewriteHTML><RewriteCookies>Disable</RewriteCookies><PassHostHeader>Disable</PassHostHeader></HTTPBasedPolicy><IntrusionPrevention>None</IntrusionPrevention><TrafficShapingPolicy>None</TrafficShapingPolicy><SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat><MinimumSourceHBPermitted /><DestSecurityHeartbeat>Disable</DestSecurityHeartbeat><MinimumDestinationHBPermitted /></SecurityPolicy></Set></Request>

     

    Im not sure why its not including whats missing or wrong with the request in the response. 

    Let me know if you have any ideas or its miss configured. 

    Thanks!

  • Luke, do you have a opening <Request> <Login> and <Set>  ?

  • Oh yes, sorry I forgot to added it in the post. 

  • Luke, 

    Sorry I didn't respond sooner I must have missed that you posted. If you PM me the full XML file (obviously remove sensitive data) I will test it on my lab network and track down the issue for you. 

    What can help is adding numbers to the "transaction ID" section - that way when the section fails your can trace the transaction ID to the specific command that failed. 

  • I am getting the exact same log output when trying to create an HTTPBasedPolicy via the XG18 api. Were you guys ever able to resolve this?