This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RESTful API and PowerShell Scripting

Anybody have some experiences with that?

I'd like to have a Powershell-Script that enables/disables Firewall or NAT Rules -> that means for example do this curl:

 

curl -X PATCH --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic dG9rZW46WmZqblZtZkd0bVppZ3lYRURLZkJRZWl1dnpqRUlTTFM=' -d '{"auto_pf_in":"","auto_pfrule":false,"comment":"","destination":"","destination_nat_address":"","destination_nat_service":"","group":"","ipsec":false,"log":false,"mode":"none","name":"","service":"","source":"","source_nat_address":"","source_nat_service":"","status":true}' 'https://utm.local:4444/api/objects/packetfilter/nat/REF_PacNatHttpsFromAny'


I did already search a little bit and I found out that I have to use the Invoke-RestMethod with Powershell. I'm able to do GET things with powershell now but I don't know how to do PATCH or POST Things with Powershell...

Anybody can help?


regards


This thread was automatically locked due to age.
Parents
  • You might find this post helpful: https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/98167/how-can-i-make-network-definition-a-member-of-network-group-using-restful-api

    I just started down this path myself and I am still having issues, but I have basic connectivity working:

    #The base API URL and then the plan was to add variable for more nodes.
    $apiURL = 'https://sophos:4444/api'
    $networkURI = $apiURL + '/objects/network/network/'
     
    #Recommended you setup a token for scripting instead of using username/password. Either way it has to be converted to Base64
    $token = 'tokenFromAPIScreen'
    $tokenBase64 = [Convert]::ToBase64String([System.Text.Encoding]::Default.GetBytes("token:" + $token))
     
    #One recommended method for building headers, you can just create an array with all the values
    $headers = @{}
    $headers.add("Authorization",'Basic ' + $tokenBase64)
     
    #This sets the TLS levels. By default I think it tries ssl which is disabled on our UTM
    $AllProtocols = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12'
    [System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
     
    #This should return a list of network objects, with their Name / IP Address / Network Mask
    Invoke-RestMethod -Uri $networkURI -Method Get -Headers $headers | ft name,address,netmask
Reply
  • You might find this post helpful: https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/98167/how-can-i-make-network-definition-a-member-of-network-group-using-restful-api

    I just started down this path myself and I am still having issues, but I have basic connectivity working:

    #The base API URL and then the plan was to add variable for more nodes.
    $apiURL = 'https://sophos:4444/api'
    $networkURI = $apiURL + '/objects/network/network/'
     
    #Recommended you setup a token for scripting instead of using username/password. Either way it has to be converted to Base64
    $token = 'tokenFromAPIScreen'
    $tokenBase64 = [Convert]::ToBase64String([System.Text.Encoding]::Default.GetBytes("token:" + $token))
     
    #One recommended method for building headers, you can just create an array with all the values
    $headers = @{}
    $headers.add("Authorization",'Basic ' + $tokenBase64)
     
    #This sets the TLS levels. By default I think it tries ssl which is disabled on our UTM
    $AllProtocols = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12'
    [System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
     
    #This should return a list of network objects, with their Name / IP Address / Network Mask
    Invoke-RestMethod -Uri $networkURI -Method Get -Headers $headers | ft name,address,netmask
Children
  • It's no problem using powershell and RESTful API for GET commands but do you have any luck with patch, put or post?

    Maybe anybody have a sample for that (e.g. activating Firewall Rule or WLAN Network)

     

    regards

  • Here is a script I wrote to modify network definitions,

    It covers creating new objects and modifying existing objects.

  • Thanks, we found out that it simple was a syntax mistake (missing $) with powershell...

    We're able to switch NAT-/Firewallrules, WLAN-Networks... on/off now with one Powershell Script (-> check and change the current status on<->off) :-)

     

    If anybody is interested ->pm or answer here

     

    regards

  • Hi,

    We are trying to use your script, but stuck at this point :

    Write-Host Need to create network object $ipNet.name on Sophos UTM
      $result = Invoke-RestMethod -Uri $networkURI -Method Post -Headers $headers -Body (ConvertTo-Json $ipNet)

     

    output :

    Need to create network object MS-104.146.128.0/17 on Sophos UTM

    Invoke-webrequest : null
    At C:\Scripts\Orig.ps1:98 char:13
    +         $result = Invoke-webrequest -Uri $networkURI -Method Post -Headers $headers -B ...
    +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
       eption
        + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

     

    Hope you can help us.

  • Meanwhile problem is solved. We used an old powershell version ....

  • Whatever I do, as soon as I try to POST, I get access denied.

    Invoke-RestMethod : [
      {

    "name": "Permission denied to create host object.",
    "rights": "ANONYMOUS",
    "attrs": [],
    "Oattrs": [
    "class",
    "type"
    ],
    "objname": "",
    "del_object": "",
    "ref": "REF_NetHosOlymp52178",
    "msgtype": "OBJECT_INSERT_DENY",
    "format": "Permission denied to create %_O object.",
    "class": "network",
    "type": "host",
    "perms": "MAILSEC,RASMAN,WIRELESS,WEBSEC,WEBAPPSEC,NETSEC,NTTCUSTOMER,SUPERADMIN,NTTCUSTOMER2",
    "never_hide": 0,
    "fatal": 1

      }
    ]

    Looking at "perms", I'd say I've got enough rights.

    When I tried running your script to see if it would run into the same problem it failed because MS doesn't offer the XML file anymore. But comparing the code, I don't see why this script would work, and mine won't. Does anyone?

    $networkURI = 'my-sophos:4444/.../'

    $token = 'my_token'
    $tokenBase64 = [Convert]::ToBase64String([System.Text.Encoding]::Default.GetBytes("token:$token"))

    $AllProtocols = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12'
    [System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols

    $ip = "my IP"
    $name = "Host - $ip"
    $comment = "Whitelist for Olympia POCs"

    $headers = @{}
    $headers.add('Content-Type', 'application/json')
    $headers.add('Accept', 'application/json')
    $headers.add("Authorization","Basic $tokenBase64")

    $body = '{"address":"' + $ip + '","address6":"","comment":"' + $comment + '","duids":[],"hostnames":[],"interface":"","macs":[],"name":"' + $name + '","resolved":false,"resolved6":false,"reverse_dns":false}'


    Invoke-RestMethod -Uri $networkURI -Method Post -Headers $headers -Body $body

    Any help is appreciated.

    Jan

  • Found it myself, but it may be useful for others.

    The user account for which you create the API token, must be a local account. You cannot use an auto-generated account from an Active Directory user. I consider this a bug, so I will create a ticket for it in SophServ, but I don't have high hopes for this being fixed soon.

    Jan