Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1237 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

API does not support Firewall Rule Group assignment after changing rule? / API drops Firewall Rule Group assignment

Saarbruecken

Hi

Every time I change a firewall rule using SFOS 18.0.5 MR-5-Build586 API, it keeps removing the firewall rule from its original Firewall Rule Group. Actually, the Firewall Rule Group is nowhere mentioned, when you query all your Firewall Rules directly through the API -- even though the information in Position and After is accurate and kept when submitting the query, the group is however dropped.

    <Position>After</Position>
    [...]
    <After>
      <Name>FAILSAFE outbound VPN</Name>
    </After

I found this after implementing Let's Encrypt on my Sophos XG, so my certificates are extended automatically and re-assigned to the WAF-rules without my interaction. I do that with five API queries:

  • Upload temporary (old but still valid) certificate. <-- works!
  • Assign WAF-rule to temporary (old but still valid) certificate <-- works, but Firewall Rule Group assignment is dropped.
  • Update existing certificate with the newly extended certificate from Let's Encrypt. <-- works!
  • Switch back WAF-rule to the extended certificate. <-- works, Firewall Rule Group assignment is dropped.
  • Delete temporary (valid) certificate. <-- works!

Do I have to assign the WAF-rules back to the desired Firewall Rule Group in separate step? Any ideas what I am missing? 

Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    How do you switch the Firewall rules? I found the approach, 1. reading the current information, 2. apply the change in script 3. update with new information more useful. It stays in the same firewall rule. I guess the approach to create a new firewall rule will not move it into a group. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I just update my existing WAF-rule, by changing the Certificate field -- and of course submit all other fields that are required in order to make the update. I do not create a new WAF rule, instead I temporary change to another certificate, so I can extend / update the existing one and then update the Certificate field again in my firewall rule. Does this make sense to you?

    Below the xml I use -- I removed irrelevant parts (flagged with [...]). After the WAF-rule was updated, the Firewall Rule Group assignment is dropped. Thanks again for your help.

    <Request>
        <Login>
            <Username></Username>
            <Password></Password>
        </Login>

        <Set operation="update">

      <FirewallRule transactionid="">
        <Name>WAF-Rule</Name>
        <Description/>
        <IPFamily>IPv4</IPFamily>
        <Status>Enable</Status>
        <Position>After</Position>
        <PolicyType>HTTPBased</PolicyType>
        <After>
          <Name>Outbound VPN</Name>
        </After>
        <HTTPBasedPolicy>
          <HostedAddress>#Port3</HostedAddress>
          <HTTPS>Enable</HTTPS>
          <ListenPort>443</ListenPort>
          <Domains>
            <Domain>www.domain.tld</Domain>
            <Domain>domain.tld</Domain>
          </Domains>
          <AccessPaths>
      <AccessPath>
        [...]
      </AccessPath>
    </AccessPaths>
          <Exceptions>
    </Exceptions>
          [...]
          <Certificate>www.domain.tld</Certificate> <-- The only part that is being changed by the update query.
          [...]
        </HTTPBasedPolicy>
      </FirewallRule>

        </Set>
    </Request>
Reply
  • 0 in reply to LuCar Toni

    I just update my existing WAF-rule, by changing the Certificate field -- and of course submit all other fields that are required in order to make the update. I do not create a new WAF rule, instead I temporary change to another certificate, so I can extend / update the existing one and then update the Certificate field again in my firewall rule. Does this make sense to you?

    Below the xml I use -- I removed irrelevant parts (flagged with [...]). After the WAF-rule was updated, the Firewall Rule Group assignment is dropped. Thanks again for your help.

    <Request>
        <Login>
            <Username></Username>
            <Password></Password>
        </Login>

        <Set operation="update">

      <FirewallRule transactionid="">
        <Name>WAF-Rule</Name>
        <Description/>
        <IPFamily>IPv4</IPFamily>
        <Status>Enable</Status>
        <Position>After</Position>
        <PolicyType>HTTPBased</PolicyType>
        <After>
          <Name>Outbound VPN</Name>
        </After>
        <HTTPBasedPolicy>
          <HostedAddress>#Port3</HostedAddress>
          <HTTPS>Enable</HTTPS>
          <ListenPort>443</ListenPort>
          <Domains>
            <Domain>www.domain.tld</Domain>
            <Domain>domain.tld</Domain>
          </Domains>
          <AccessPaths>
      <AccessPath>
        [...]
      </AccessPath>
    </AccessPaths>
          <Exceptions>
    </Exceptions>
          [...]
          <Certificate>www.domain.tld</Certificate> <-- The only part that is being changed by the update query.
          [...]
        </HTTPBasedPolicy>
      </FirewallRule>

        </Set>
    </Request>
Children
  • 0 in reply to Saarbruecken

    Did you create this XML by yourself or do you fetch the current config? Personally i would recommend to fetch the current config, store it into a array and change the certificate name. Therefore you will not run into the issue of missing any information. 

    __________________________________________________________________________________________________________________

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?