Api - Update firewall rule fails

I am trying to update firewall rule with api to change the certificate.
It is usefull for let's encrypt certificate update.

I have followed the community suggestion to read the rule and set the values read in the update statement (obviously changing the certificate name).

I was able to Load certificate into sophos XG 19 via api, to delete certificate, to get the rule values so I am sure the login OK .

I post the update from vb.net (but the call are the same as c#) with the following command:

Risposta = Await myHttpClient.GetAsync(New Uri(Comando))

RispostaXML = Await Risposta.Content.ReadAsStringAsync()

The response is:
<?xml version="1.0" encoding="UTF-8"?>
<Response>
  <Status code="529">Input request file is Invalid</Status>
</Response>

The value of command is reported below with changed sensitive information in red.
Any idea where the error is?

server.domain.it:4444/.../APIController
<Request>
    <Login>
        <Username>UserName</Username>
        <Password passwordform="encrypt">zzzzzzzzzz</Password>
    </Login>
    <Set operation="update">
        <FirewallRule>
        <Name>xxxxxxxxx.eu</Name>
        <Description></Description>
        <IPFamily>IPv4</IPFamily>
        <Status>Enable</Status>
        <Position>After</Position>
        <PolicyType>HTTPBased</PolicyType>
        <After><Name>rulename</Name></After>
        <HTTPBasedPolicy>
            <HostedAddress>#Port2</HostedAddress>
            <HTTPS>Enable</HTTPS>
            <ListenPort>443</ListenPort>
            <Domains>
                <Domain>xxxxxxx.eu</Domain>
                <Domain>yyyyyyy.eu</Domain>
                <Domain>zzzzzzz.eu</Domain>
            </Domains>
            <AccessPaths>
                <AccessPath>
                    <allowed_networks>Any IPv4</allowed_networks>
                    <auth_profile></auth_profile>
                    <backend>SerEstWebStudioWS</backend>
                    <be_path></be_path>
                    <hot_standby>0</hot_standby>
                    <path>/</path>
                    <stickysession_status>0</stickysession_status>
                    <websocket_passthrough>0</websocket_passthrough>
                </AccessPath>
            </AccessPaths>
            <Exceptions></Exceptions>
            <ProtocolSecurity></ProtocolSecurity>
            <CompressionSupport>Disable</CompressionSupport>
            <RewriteHTML>0</RewriteHTML>
            <PassHostHeader>Enable</PassHostHeader>
            <RewriteCookies>Enable</RewriteCookies>
            <IntrusionPrevention>WAN TO DMZ</IntrusionPrevention>
            <TrafficShapingPolicy>None</TrafficShapingPolicy>
            <Certificate>New certficate name</Certificate>
            <RedirectHTTP>Enable</RedirectHTTP>
        </HTTPBasedPolicy>
        </FirewallRule>
    </Set>
</Request>



Edited TAGs
[edited by: emmosophos at 5:28 PM (GMT -7) on 20 Sep 2022]