Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 40 subscribers
  • Views 1747 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to disable WAF rule via API

George Sainsbury

I am trying to make changes to a WAF rule via the API. This is all in relation to a larger effort to automate Let's Encrypt renewals. I have ready many posts on here and found a few smaller github repos with examples but none of them get the entire workflow.

I am able to upload a new certificate, or update an existing certificate via the API but I cannot update an existing certificate if it is in use by a WAF rule (error 542).

So my aim was to create a new certificate and then modify the WAF rule to use that, however I am unable to make any changes via the API. I have tried the oft-recommended example of exporting current "good" config and only making minor edits but I consistently get an unhelpful error. This error was purely changing from Enable to Disable in the Status key.

gigeo@angel:~$ cat test_change_cert.xml | curl -k -F "reqxml=<-"   "https://172.16.16.16:4444/webconsole/APIController?"
<?xml version="1.0" encoding="UTF-8"?>
<Response APIVersion="1702.1" IPS_CAT_VER="1">
  <Login>
    <status>Authentication Successful</status>
  </Login>
  <FirewallRule transactionid="">
    <Status code="500">Operation could not be performed on Entity.</Status>
  </FirewallRule>
</Response>

Here is the test XML file.

<?xml version="1.0" encoding="UTF-8"?>
<Request APIVersion="1702.1">

  <!-- Authenticate -->
  <Login>
    <Username>xxx</Username>
    <Password passwordform="plain">xxx</Password>
  </Login>

  <!-- Upload Letsencrypt Certificate Authority -->
  <Set operation="update">
    <FirewallRule>
      <Name>HTTPS_Webservers</Name>
      <Description/>
      <IPFamily>IPv4</IPFamily>
      <Status>Enable</Status>
      <Position>Top</Position>
      <PolicyType>HTTPBased</PolicyType>
      <HTTPBasedPolicy>
        <HostedAddress>#PortB</HostedAddress>
        <HTTPS>Enable</HTTPS>
        <ListenPort>443</ListenPort>
        <Domains>
          <Domain>xxx.xxx</Domain>
          <Domain>xxx.xxx</Domain>
          <Domain>www.xxx.com</Domain>
        </Domains>
        <AccessPaths>
          <AccessPath>
            <allowed_networks>Any IPv4</allowed_networks>
            <auth_profile/>
            <backend>Angel (HTTP)</backend>
            <be_path/>
            <hot_standby>0</hot_standby>
            <path>/</path>
            <stickysession_status>0</stickysession_status>
            <websocket_passthrough>0</websocket_passthrough>
          </AccessPath>
        </AccessPaths>
        <Exceptions>
        </Exceptions>
        <ProtocolSecurity/>
        <CompressionSupport>Disable</CompressionSupport>
        <RewriteHTML>0</RewriteHTML>
        <PassHostHeader>Enable</PassHostHeader>
        <RewriteCookies>Enable</RewriteCookies>
        <IntrusionPrevention>None</IntrusionPrevention>
        <TrafficShapingPolicy>None</TrafficShapingPolicy>
      </HTTPBasedPolicy>
    </FirewallRule>
  </Set>
</Request>



This thread was automatically locked due to age.
Parents
  • +1

    Thats a bug, which will be fixed in the upcoming V18.0 MR4. Bug ID: NC-60078: WAF: Certificate can't be edit via API/XML import

    __________________________________________________________________________________________________________________

Reply
  • +1

    Thats a bug, which will be fixed in the upcoming V18.0 MR4. Bug ID: NC-60078: WAF: Certificate can't be edit via API/XML import

    __________________________________________________________________________________________________________________

Children
Unfiltered HTML