Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Create FIrewall Policy - HTTPBased response 501

Hi All!

Im working with the Sophos XG 1700.1 API looking to create an HTTPBased Firewall policy.

I seem to be running into an issue when making the request. 
response from the request:
<?xml version="1.0" encoding="UTF-8"?>\n<Response APIVersion="1700.1">\n  <Login>\n    <status>Authentication Successful</status>\n  </Login>\n  <SecurityPolicy transactionid="">\n    <Status code="501">Configuration parameters validation failed.</Status>\n    <InvalidParams/>\n  </SecurityPolicy>\n</Response>\

request:
/webconsole/APIController?reqxml=<Request><Login><Username>admin</Username><Password>notpassword</Password></Login><Set operation="add"><SecurityPolicy><Name>HTTPBased Policy</Name><Position>top</Position><Description>HTTP Based Policy</Description><Status>Disable</Status><IPFamily>IPv4</IPFamily><PolicyType>HTTPBased</PolicyType><HTTPBasedPolicy><HostedAddress>10.0.0.10</HostedAddress><HTTPS>Disable</HTTPS><RedirectHTTP>Disable</RedirectHTTP><ListenPort>80</ListenPort><Domains><Domain>derp.com</Domain></Domains><AllowFrom><Address>Test Server</Address></AllowFrom><Exceptions><Exception><path>/</path><op>or</op><source>Any IPv4</source><skip_threats_filter_categories>protocol_violations</skip_threats_filter_categories><skip_threats_filter_categories>protocol_anomalies</skip_threats_filter_categories><skip_threats_filter_categories>request_limits</skip_threats_filter_categories><skipav>1</skipav><skipbadclients>1</skipbadclients><skipcookie>1</skipcookie><skipform>1</skipform><skipurl>1</skipurl></Exception></Exceptions><ProtocolSecurity /><CompressionSupport>Disable</CompressionSupport><RewriteHTML>Disable</RewriteHTML><RewriteCookies>Disable</RewriteCookies><PassHostHeader>Disable</PassHostHeader></HTTPBasedPolicy><IntrusionPrevention>None</IntrusionPrevention><TrafficShapingPolicy>None</TrafficShapingPolicy><SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat><MinimumSourceHBPermitted /><DestSecurityHeartbeat>Disable</DestSecurityHeartbeat><MinimumDestinationHBPermitted /></SecurityPolicy></Set></Request>

If anyone could help that would be awesome!

thanks,

Luke




This thread was automatically locked due to age.
  • Made changes to my request and added the missing elements. Still missing something as I'm still getting a 501 response. 

    From apiparse.log

    INFO : 27569 Start Login Handler,Component : Login
    ERROR : 27569 Key:ISCrEntity is not found in RequestMap File for Login.
    INFO : 27569 Mapping file for Login component is /_conf/csc/IOMappingFiles//1700.1/Login/Login.xml
    ERROR : 27569 Flag setting for this opcode is 18.
    INFO : 27569 Opcode response: status:200
    INFO : 27569 Authentication Successful
    INFO : 27569 Start Set Handler,Component : SecurityPolicy
    ERROR : 27569 Key:ISCrEntity is not found in RequestMap File for SecurityPolicy.
    ERROR : 27569 type != const in logicaloperator.So string comparision is done.
    ERROR : 27569 type != const in logicaloperator.So string comparision is done.
    ERROR : 27569 Flag setting for this opcode is 16.
    INFO : 27569 Opcode response: status:500
    INFO : 27569 End SET Handler, Status : Success, Component : SecurityPolicy, Transaction : , Operation : add.
    INFO : 27569 Command:/scripts/apiparser_generate_tar.sh /sdisk/api-1528393159508823.txt /sdisk/API-1528393159508823 /sdisk/APIXMLOutput/1528393159401.xml /sdisk/API-1528393159508823.tar /sdisk/API-1528393159508823.log 0 status:3

    Heres the XML Im passing 

    <SecurityPolicy transactionid=""><Name>HTTPBased Policy</Name><Position>top</Position><Description>HTTP Based Policy</Description><Status>Disable</Status><IPFamily>IPv4</IPFamily><PolicyType>HTTPBased</PolicyType><SourceNetworks><Network>Test Source</Network></SourceNetworks><ExceptionNetworks><Network>Test Source</Network></ExceptionNetworks><HTTPBasedPolicy><Certificate></Certificate><HostedAddress>Test Server</HostedAddress><HTTPS>Disable</HTTPS><RedirectHTTP>Disable</RedirectHTTP><ListenPort>80</ListenPort><Domains><Domain>derp.com</Domain></Domains><AllowFrom><Address>10.10.101.10</Address></AllowFrom><Exceptions><Exception><path>/</path><op>or</op><source>Any IPv4</source><skip_threats_filter_categories>protocol_violations</skip_threats_filter_categories><skip_threats_filter_categories>protocol_anomalies</skip_threats_filter_categories><skip_threats_filter_categories>request_limits</skip_threats_filter_categories><skipav>1</skipav><skipbadclients>1</skipbadclients><skipcookie>1</skipcookie><skipform>1</skipform><skipurl>1</skipurl></Exception></Exceptions><ProtocolSecurity /><CompressionSupport>Disable</CompressionSupport><RewriteHTML>Disable</RewriteHTML><RewriteCookies>Disable</RewriteCookies><PassHostHeader>Disable</PassHostHeader></HTTPBasedPolicy><IntrusionPrevention>None</IntrusionPrevention><TrafficShapingPolicy>None</TrafficShapingPolicy><SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat><MinimumSourceHBPermitted /><DestSecurityHeartbeat>Disable</DestSecurityHeartbeat><MinimumDestinationHBPermitted /></SecurityPolicy></Set></Request>

     

    Im not sure why its not including whats missing or wrong with the request in the response. 

    Let me know if you have any ideas or its miss configured. 

    Thanks!

  • Luke, do you have a opening <Request> <Login> and <Set>  ?

  • Oh yes, sorry I forgot to added it in the post. 

  • Luke, 

    Sorry I didn't respond sooner I must have missed that you posted. If you PM me the full XML file (obviously remove sensitive data) I will test it on my lab network and track down the issue for you. 

    What can help is adding numbers to the "transaction ID" section - that way when the section fails your can trace the transaction ID to the specific command that failed. 

  • I am getting the exact same log output when trying to create an HTTPBasedPolicy via the XG18 api. Were you guys ever able to resolve this?