Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1237 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

API does not support Firewall Rule Group assignment after changing rule? / API drops Firewall Rule Group assignment

Saarbruecken

Hi

Every time I change a firewall rule using SFOS 18.0.5 MR-5-Build586 API, it keeps removing the firewall rule from its original Firewall Rule Group. Actually, the Firewall Rule Group is nowhere mentioned, when you query all your Firewall Rules directly through the API -- even though the information in Position and After is accurate and kept when submitting the query, the group is however dropped.

    <Position>After</Position>
    [...]
    <After>
      <Name>FAILSAFE outbound VPN</Name>
    </After

I found this after implementing Let's Encrypt on my Sophos XG, so my certificates are extended automatically and re-assigned to the WAF-rules without my interaction. I do that with five API queries:

  • Upload temporary (old but still valid) certificate. <-- works!
  • Assign WAF-rule to temporary (old but still valid) certificate <-- works, but Firewall Rule Group assignment is dropped.
  • Update existing certificate with the newly extended certificate from Let's Encrypt. <-- works!
  • Switch back WAF-rule to the extended certificate. <-- works, Firewall Rule Group assignment is dropped.
  • Delete temporary (valid) certificate. <-- works!

Do I have to assign the WAF-rules back to the desired Firewall Rule Group in separate step? Any ideas what I am missing? 

Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    I found a workaround for this. It is possible to re-assign the firewall rules to Firewall Rule Group after you successfully updated them and after they lost their assigned Group. I will later post all six XML files in hope, the community finds them helpful. I found many threads, where people have tried to achieve similar things, when trying to implement Let's Encrypt.

    <Request>
        <Login>
            <Username></Username>
            <Password></Password>
        </Login>

    <Set operation="update">
      <FirewallRuleGroup transactionid="">
        <Name>Web Applications</Name> <-- put the name of your Firewall Rule Group name here.
        <Description/>
        <SecurityPolicyList>
          <SecurityPolicy>WAF-Rule 1</SecurityPolicy> <-- put all firewall rules here, you want to assign to that group.
          <SecurityPolicy>WAF-Rule 2</SecurityPolicy>
          <SecurityPolicy>WAF-Rule 3</SecurityPolicy>
          <SecurityPolicy>WAF-Rule 4</SecurityPolicy>
          <SecurityPolicy>WAF-Rule 5</SecurityPolicy>
        </SecurityPolicyList>
        <Policytype>Any</Policytype>
      </FirewallRuleGroup>
        </Set>
    </Request>
  • 0 in reply to Saarbruecken

    If you like, you could push the Script into github and link them to the community. I assume many people would like to see this kind of code :) 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    - Adding to what LuCar has mentioned, I'd be happy to help feature this on our Recommended Read section if you want to update your post on this main thread with your Github script.

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Reply Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?