This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Add Networks to Network Groups with the RESTful API

Hello, 
we want to add all (~1500) ipv4 aws subnets to the utm using the api. I've used the request url .../api/objects/network/network/ to add the networks, which worked fine.
 
Now I want to add all of these to a network group like this:
 
curl --location --request PUT 'https://....:4444/api/objects/network/group/REF_NetGroAWSTest' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'X-Restd-Lock-Override: yes' \
--header 'X-Restd-Err-Ack: all' \
--header 'Authorization: Basic XXXXXXXXXXXXXXXXX' \
--data-raw '{"name":"Group_Name","members":["REF_NetNetAmazonYYY34","REF_NetNetAmazoneuXXX38"]}' 
 
What would be the best way to get the reference ids of all networks? Do I have to filter the json response manually or is there any faster way?
Also is it possible to only add member entries without completely overwriting it (as a new execution of the previously mentioned command would do)?
we using the aws json file https://ip-ranges.amazonaws.com/ip-ranges.json and our script must run daily because the ip ranges change.


This thread was automatically locked due to age.
  • Hallo and welcome to the UTM Community!

    Depending on what hardware you have, doing this may overload the UTM.  You should ask your Sophos partner about this.

    Also, you don't say why you want to do this.  If you're new to the UTM and WebAdmin, there may be an easier way to accomplish what you want.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob :-)

    I have two uplinks and using the multipath routing rules. I want route all connection to aws about interface "a" with a fixed ip and all other balanced over the "Uplink Interfaces".
    But the aws networks have regularly changes. I can not check ~5000 subnets manually daily. aws have the json file for this information.

    My user are aws developer and have easy network rules on the aws site with the fixed ip address. So the traffic to aws must use the interface "a".

    i want create the networks and set all this networks in one "aws" network group. And create for this group one routing rule. Another solution would be good too :-)

  • Would it be practical for all of the developers' traffic to go out the fixed IP?

    Again, I'm concerned that you might overload the CPU with so many subnets defined - what processor is in your UTM, or are you using a Sophos appliance?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob!
    I want only route the traffic from the developer to aws about the interface with the fixed ip. The developer are 50% of the users.
    Yes, the ~1500 networks aws entrys over the api, in the database have made the utm cluster slower on the config pages and re-sync after a reboot but not on the network traffic until now.

    I use two SG210 appliances clustered in fail-over mode with a cpu usage ~ 30%.

  • That's what I would have expected - since you're new here and possibly setting this up for the first time, I was worried that you might need to be making more configuration changes.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I run 4 utms. i know the way to my goal, but i want not do the steps manually. :-)

    - add the aws networks
    - create one network group and add the aws networks
    - create a new multipath rule for the developer network to the new aws networks group

     

  • I have created bash skripts. The input of the ~5000 subnets was very slow. The UTM SG210 had a load of ~8 for two hours.
    The routing rule is runing fine now and the system load is not much bigger than before!