This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Switch Networkrule Enable/Disable trough API

Hi,

i want to switch (Enable/Disable) a Networkrule with powershell.

A call with browser is working but i want it directly (the browser-cache is anoying).

$firewall = "firewall-fqdn:4444"

$request = @"
     <Login><UserName>api-admin</UserName>
     <Password passwordform=""encrypt"">api-key</Password></Login>
        <Set operation=""update"">
            <SecurityPolicy transactionid="""">
                <Name>Lucy -> Any ALL (TEMP)</Name>
                <Description/>
                <IPFamily>IPv4</IPFamily>
                <Status>Enable</Status>
                <Position>After</Position>
                <PolicyType>Network</PolicyType>
                <After>
                    <Name>Tiger2 ANY -> Internet</Name>
                </After>
                <SourceZones>
                    <Zone>LAN</Zone>
                </SourceZones>
                <Schedule>All The Time</Schedule>
                <Action>Accept</Action>
                <LogTraffic>Enable</LogTraffic>
                <MatchIdentity>Disable</MatchIdentity>
                <SourceNetworks>
                    <Network>Lucy</Network>
                </SourceNetworks>
                <DSCPMarking>-1</DSCPMarking>
                <ApplicationControl>None</ApplicationControl>
                <ApplicationBaseQoSPolicy>Revoke</ApplicationBaseQoSPolicy>
                <WebFilter>None</WebFilter>
                <WebCategoryBaseQoSPolicy>Revoke</WebCategoryBaseQoSPolicy>
                <IntrusionPrevention>None</IntrusionPrevention>
                <TrafficShappingPolicy>None</TrafficShappingPolicy>
                <ApplyNAT>CustomNatPolicy</ApplyNAT>
                <OverrideGatewayDefaultNATPolicy>Disable</OverrideGatewayDefaultNATPolicy>
                <PrimaryGateway/>
                <OutboundAddress>MASQ</OutboundAddress>
                <BackupGateway/>
                <ScanHTTP>Disable</ScanHTTP>
                <ScanHTTPS>Disable</ScanHTTPS>
                <Sandstorm>Disable</Sandstorm>
                <BlockQuickQuic>Disable</BlockQuickQuic>
                <ScanFTP>Disable</ScanFTP>
                <SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat>
                <MinimumSourceHBPermitted>No Restriction</MinimumSourceHBPermitted>
                <DestSecurityHeartbeat>Disable</DestSecurityHeartbeat>
                <MinimumDestinationHBPermitted>No Restriction</MinimumDestinationHBPermitted>
            </SecurityPolicy>
        </Set>
"@

start "https://$firewall/webconsole/APIController?reqxml=<Request>$request</Request>"

The thing is i have no clue how the command has to be (Invert-WebRequest i think).
Later i want to expand it with variables for adding URLs to web-exceptions.
Can someone help?

Best regards.

This thread was automatically locked due to age.

Parents

0 FormerMember over 4 years ago

Hi Gotschek,

Did you check this KB Article: Sophos XG Firewall: How to use API?

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Gotschek over 4 years ago in reply to FormerMember

Hi H_Patel,

sure.
I googled many sites and youtube videos.

But everytime i try i get the following error:

PS D:\Scripts> .\Enable-Lucy-Any_Webrequest.ps1

StatusCode        : 200
StatusDescription : OK
Content           : <?xml version="1.0" encoding="UTF-8"?>
                    <Response>
                      <Status code="529">Input request file is Invalid</Status>
                    </Response>

RawContent        : HTTP/1.1 200 OK
                    X-Frame-Options: SAMEORIGIN
                    Strict-Transport-Security: max-age=31536000
                    X-Content-Type-Options: nosniff
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Transfer-Encoding: c...
Forms             : {}
Headers           : {[X-Frame-Options, SAMEORIGIN], [Strict-Transport-Security, max-age=31536000], [X-Content-Type-Options, nosniff], [Keep-Alive, timeout=5,
                    max=100]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : mshtml.HTMLDocumentClass
RawContentLength : 122

The Powershell-Scipt is this:

$firewall = "https://firewall:4444"
$APIcall = "/webconsole/APIController?reqxml="
$XMLfile = [XML] (Get-Content -Path ("D:\Scripts\XML-Files\Enable-Lucy-Any.txt"))

$REQUEST = "$firewall$APIcall$XMLfile"

Invoke-WebRequest -Uri $REQUEST

XML-File:

<?xml version="1.0" encoding="UTF-8"?>
<Request APIVersion="1702.1" IPS_CAT_VER="1">
   <Login>
       <Username>api-admin</Username>
       <Password passwordform="encrypt">api-encpass</Password>
   </Login>
       <Set operation="update">
           <SecurityPolicy>
               <Name>Lucy -> Any ALL (TEMP)</Name>
               <Description>Allow Lucy any</Description>
               <IPFamily>IPv4</IPFamily>
               <Status>Enable</Status>
               <Position>After</Position>
               <PolicyType>Network</PolicyType>
               <After>
                   <Name>Tiger2 ANY -> Internet</Name>
               </After>
               <SourceZones>
                   <Zone>LAN</Zone>
               </SourceZones>
               <Schedule>All The Time</Schedule>
               <Action>Accept</Action>
               <LogTraffic>Enable</LogTraffic>
               <MatchIdentity>Disable</MatchIdentity>
               <SourceNetworks>
                   <Network>Lucy</Network>
               </SourceNetworks>
               <DSCPMarking>-1</DSCPMarking>
               <ApplicationControl>None</ApplicationControl>
               <ApplicationBaseQoSPolicy>Revoke</ApplicationBaseQoSPolicy>
               <WebFilter>None</WebFilter>
               <WebCategoryBaseQoSPolicy>Revoke</WebCategoryBaseQoSPolicy>
               <IntrusionPrevention>None</IntrusionPrevention>
               <TrafficShappingPolicy>None</TrafficShappingPolicy>
               <ApplyNAT>CustomNatPolicy</ApplyNAT>
               <OverrideGatewayDefaultNATPolicy>Disable</OverrideGatewayDefaultNATPolicy>
               <PrimaryGateway/>
               <OutboundAddress>MASQ</OutboundAddress>
               <BackupGateway/>
               <ScanHTTP>Disable</ScanHTTP>
               <ScanHTTPS>Disable</ScanHTTPS>
               <Sandstorm>Disable</Sandstorm>
               <BlockQuickQuic>Disable</BlockQuickQuic>
               <ScanFTP>Disable</ScanFTP>
               <SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat>
               <MinimumSourceHBPermitted>No Restriction</MinimumSourceHBPermitted>
               <DestSecurityHeartbeat>Disable</DestSecurityHeartbeat>
               <MinimumDestinationHBPermitted>No Restriction</MinimumDestinationHBPermitted>
           </SecurityPolicy>
       </Set>
</Request>

I think the XML is correct but i'm not sure. Maybe the double qoutes in the XML?

But i get the error even if i try the whole request without an xml file i get the error.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Gotschek over 4 years ago in reply to FormerMember

Hi H_Patel,

sure.
I googled many sites and youtube videos.

But everytime i try i get the following error:

PS D:\Scripts> .\Enable-Lucy-Any_Webrequest.ps1

StatusCode        : 200
StatusDescription : OK
Content           : <?xml version="1.0" encoding="UTF-8"?>
                    <Response>
                      <Status code="529">Input request file is Invalid</Status>
                    </Response>

RawContent        : HTTP/1.1 200 OK
                    X-Frame-Options: SAMEORIGIN
                    Strict-Transport-Security: max-age=31536000
                    X-Content-Type-Options: nosniff
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Transfer-Encoding: c...
Forms             : {}
Headers           : {[X-Frame-Options, SAMEORIGIN], [Strict-Transport-Security, max-age=31536000], [X-Content-Type-Options, nosniff], [Keep-Alive, timeout=5,
                    max=100]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : mshtml.HTMLDocumentClass
RawContentLength : 122

The Powershell-Scipt is this:

$firewall = "https://firewall:4444"
$APIcall = "/webconsole/APIController?reqxml="
$XMLfile = [XML] (Get-Content -Path ("D:\Scripts\XML-Files\Enable-Lucy-Any.txt"))

$REQUEST = "$firewall$APIcall$XMLfile"

Invoke-WebRequest -Uri $REQUEST

XML-File:

<?xml version="1.0" encoding="UTF-8"?>
<Request APIVersion="1702.1" IPS_CAT_VER="1">
   <Login>
       <Username>api-admin</Username>
       <Password passwordform="encrypt">api-encpass</Password>
   </Login>
       <Set operation="update">
           <SecurityPolicy>
               <Name>Lucy -> Any ALL (TEMP)</Name>
               <Description>Allow Lucy any</Description>
               <IPFamily>IPv4</IPFamily>
               <Status>Enable</Status>
               <Position>After</Position>
               <PolicyType>Network</PolicyType>
               <After>
                   <Name>Tiger2 ANY -> Internet</Name>
               </After>
               <SourceZones>
                   <Zone>LAN</Zone>
               </SourceZones>
               <Schedule>All The Time</Schedule>
               <Action>Accept</Action>
               <LogTraffic>Enable</LogTraffic>
               <MatchIdentity>Disable</MatchIdentity>
               <SourceNetworks>
                   <Network>Lucy</Network>
               </SourceNetworks>
               <DSCPMarking>-1</DSCPMarking>
               <ApplicationControl>None</ApplicationControl>
               <ApplicationBaseQoSPolicy>Revoke</ApplicationBaseQoSPolicy>
               <WebFilter>None</WebFilter>
               <WebCategoryBaseQoSPolicy>Revoke</WebCategoryBaseQoSPolicy>
               <IntrusionPrevention>None</IntrusionPrevention>
               <TrafficShappingPolicy>None</TrafficShappingPolicy>
               <ApplyNAT>CustomNatPolicy</ApplyNAT>
               <OverrideGatewayDefaultNATPolicy>Disable</OverrideGatewayDefaultNATPolicy>
               <PrimaryGateway/>
               <OutboundAddress>MASQ</OutboundAddress>
               <BackupGateway/>
               <ScanHTTP>Disable</ScanHTTP>
               <ScanHTTPS>Disable</ScanHTTPS>
               <Sandstorm>Disable</Sandstorm>
               <BlockQuickQuic>Disable</BlockQuickQuic>
               <ScanFTP>Disable</ScanFTP>
               <SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat>
               <MinimumSourceHBPermitted>No Restriction</MinimumSourceHBPermitted>
               <DestSecurityHeartbeat>Disable</DestSecurityHeartbeat>
               <MinimumDestinationHBPermitted>No Restriction</MinimumDestinationHBPermitted>
           </SecurityPolicy>
       </Set>
</Request>

I think the XML is correct but i'm not sure. Maybe the double qoutes in the XML?

But i get the error even if i try the whole request without an xml file i get the error.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Gotschek over 4 years ago in reply to Gotschek

I solved the Error myself (try and error)

The Problem was the excaped double qoutes. (In "here-strings" escape isn't necessary)

# Parameter

$firewall = "https://firewall:4444"
$APIcall = "/webconsole/APIController?reqxml="

$xmlrequest = @"
<Request APIVersion="1702.1" IPS_CAT_VER="1">
     <Login><UserName>api-admin</UserName>
     <Password passwordform="encrypt">api-encrypted-password</Password></Login>
        <Set operation="update">
           <SecurityPolicy transactionid="">
               <Name>Lucy -> Any ALL (TEMP)</Name>
               <Description/>
               <IPFamily>IPv4</IPFamily>
               <Status>Enable</Status>                                    <----- Here switch between Enable/Disable
               <Position>After</Position>
               <PolicyType>Network</PolicyType>
               <After>
                   <Name>Tiger2 ANY -> Internet</Name>
               </After>
               <SourceZones>
                   <Zone>LAN</Zone>
               </SourceZones>
               <Schedule>All The Time</Schedule>
               <Action>Accept</Action>
               <LogTraffic>Enable</LogTraffic>
               <MatchIdentity>Disable</MatchIdentity>
               <SourceNetworks>
                   <Network>Lucy</Network>
               </SourceNetworks>
               <DSCPMarking>-1</DSCPMarking>
               <ApplicationControl>None</ApplicationControl>
               <ApplicationBaseQoSPolicy>Revoke</ApplicationBaseQoSPolicy>
               <WebFilter>None</WebFilter>
               <WebCategoryBaseQoSPolicy>Revoke</WebCategoryBaseQoSPolicy>
               <IntrusionPrevention>None</IntrusionPrevention>
               <TrafficShappingPolicy>None</TrafficShappingPolicy>
               <ApplyNAT>CustomNatPolicy</ApplyNAT>
               <OverrideGatewayDefaultNATPolicy>Disable</OverrideGatewayDefaultNATPolicy>
               <PrimaryGateway/>
               <OutboundAddress>MASQ</OutboundAddress>
               <BackupGateway/>
               <ScanHTTP>Disable</ScanHTTP>
               <ScanHTTPS>Disable</ScanHTTPS>
               <Sandstorm>Disable</Sandstorm>
               <BlockQuickQuic>Disable</BlockQuickQuic>
               <ScanFTP>Disable</ScanFTP>
               <SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat>
               <MinimumSourceHBPermitted>No Restriction</MinimumSourceHBPermitted>
               <DestSecurityHeartbeat>Disable</DestSecurityHeartbeat>
               <MinimumDestinationHBPermitted>No Restriction</MinimumDestinationHBPermitted>
           </SecurityPolicy>
       </Set>
   </Request>
"@

$REQUEST = "$firewall$APIcall$xmlrequest"

Invoke-WebRequest -Uri $REQUEST
Cancel
Vote Up 0 Vote Down

Cancel