Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 1027 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Accessing Api

Andreas Seeger

I am trying to wrap my head around the Sophos Utm Api; my goal is to eventually create a small iOS app to block my kids from accessing the internet. The Utm is set up now in a way that I can activate a blackhole DNAT to redirect requests from my kids devices to nirvana, thus taking internet access from them. So that part is working fine.

My next goal is to figure out what Api call to do in order to switch said rules remotely. I have an Api user, given all permissions in `WebAdmin Settings` > `Access Control`. I can connect with my Sophos Api just fine with the url https://fqdn:4444/api and can also log in just fine. I also already have a Let's Encrypt cert in place, so https works just fine as well.
Also, I have a split DNS in place, so above fqdn resolves to my public IP from outside and to my local IP from the inside. 

Now, to access the DNAT rules, I first want to retrieve all available DNAT rules with the Api route GET `/objects/packetfilter/nat/`. I tried in 3 different ways:

  1. using the `Try it out` button, receiving the following (calling via LAN interface)
  2. using the corresponding `curl` command (calling via LAN)
  3. using `curl` on a **remote** host (calling via WAN)

What I don't understand now is that I only get permission when calling from **outside** via WAN (200) -- all internal calls return a 403 Permission denied

Here's logs content:

```

#Remote access
2019:05:30-11:06:28 fw restd[4530]: [D994343C3D651E72AFDCFAE594554FEE|] [ConfdHelper] Reusing session: <username> (rscDMdprRbJEdmhrJZMu@212.51.135.249)
2019:05:30-11:06:28 fw restd[4530]: [D994343C3D651E72AFDCFAE594554FEE|] confd => [4] get_SID()
2019:05:30-11:06:28 fw restd[4530]: [D994343C3D651E72AFDCFAE594554FEE|] confd <= [4] Result: "rscDMdprRbJEdmhrJZMu"
2019:05:30-11:06:28 fw restd[4530]: [D994343C3D651E72AFDCFAE594554FEE|] Started GET /api/objects/packetfilter/nat/
2019:05:30-11:06:28 fw restd[4530]: [D994343C3D651E72AFDCFAE594554FEE|] confd => [5] get_objects(["packetfilter","nat"])
2019:05:30-11:06:28 fw restd[4530]: [D994343C3D651E72AFDCFAE594554FEE|] confd <= [5] Result: [{"ref":"REF_PacNatAnyFromDevic","lock":"","data":{"source_nat_address":"","source_nat_service":"","source":"REF_NetGroDevicesnic","auto_pf_in":"","mode":"dnat","destination":"REF_NetGroInternet","status":0,"name":"Any from devices-Nico to Internet","ipsec":0,"service":"REF_ServiceAny","destination_nat_service":"","group":"","comment":"Block-Nicos-Devices","destination_nat_address":"REF_NetHosNirvana","log":1,"auto_pfrule":1},"type":"nat","class":"packetfilter","hidden":0,"autoname":1,"nodel":""},{"lock":"","ref":"REF_PacNatAnyFromDevic2","type":"nat","class":"packetfilter","hidden":0,"autoname":1,"data":{"source":"REF_NetGroDevicesleo","source_nat_service":"","source_nat_address":"","auto_pf_in":"","status":0,"destination":"REF_NetGroInternet","mode":"dnat","ipsec":0,"name":"Any from devices-Leonie to Internet","service":"REF_ServiceAny","destination_nat_service":"","group":"","comment":"Block-Leonies-Devices","destination_nat_address":"REF_NetHosNirvana","log":1,"auto_pfrule":1},"nodel":""},{"lock":"","ref":"REF_PacNatAnyFromAndre","autoname":1,"hidden":0,"class":"packetfilter","type":"nat","data":{"source":"REF_NetHosAndreasiph","source_nat_service":"","source_nat_address":"","auto_pf_in":"","status":0,"destination":"REF_NetGroInternet","mode":"dnat","ipsec":0,"name":"Any from Andreas-iPhone to Internet","service":"REF_ServiceAny","destination_nat_service":"","group":"","comment":"Block-Andreas-iPhone-Test","destination_nat_address":"REF_NetHosNirvana","log":1,"auto_pfrule":1},"nodel":""}]
2019:05:30-11:06:28 fw restd[4530]: [D994343C3D651E72AFDCFAE594554FEE|] Completed GET 200 /api/objects/packetfilter/nat/ in 10.347606ms
 
# local access
2019:05:30-11:07:00 fw restd[4530]: [27F2B388DE791F905FA808B89A371191|] [ConfdHelper] Reusing session: <username> (hNeIPKCOfAkJuaEKxaOx@192.168.34.202)
2019:05:30-11:07:00 fw restd[4530]: [27F2B388DE791F905FA808B89A371191|] confd => [5700] get_SID()
2019:05:30-11:07:00 fw restd[4530]: [27F2B388DE791F905FA808B89A371191|] confd <= [5700] Result: 0
2019:05:30-11:07:00 fw restd[4530]: [27F2B388DE791F905FA808B89A371191|] Started GET /api/objects/packetfilter/nat/
2019:05:30-11:07:00 fw restd[4530]: [27F2B388DE791F905FA808B89A371191|] confd => [5701] get_objects(["packetfilter","nat"])
2019:05:30-11:07:00 fw restd[4530]: [27F2B388DE791F905FA808B89A371191|] confd <= [5701] Result: []
2019:05:30-11:07:00 fw restd[4530]: [27F2B388DE791F905FA808B89A371191|] confd => [5702] err_list()
2019:05:30-11:07:00 fw restd[4530]: [27F2B388DE791F905FA808B89A371191|] confd <= [5702] Result: [{"rights":"ANONYMOUS","attrs":[],"ref":"REF_PacNatAnyFromDevic","name":"Permission denied to read the NAT rule object.","never_hide":0,"msgtype":"OBJECT_LOOKUP_DENY","Oattrs":["class","type"],"format":"Permission denied to read the %_O object.","fatal":1,"class":"packetfilter","type":"nat","perms":"RASMAN,WEBSEC,REPORTAUDITOR,WEBAUDITOR,READONLY,NETAUDITOR,NETSEC,NTTOPERATOR,SUPERADMIN"}]
2019:05:30-11:07:00 fw restd[4530]: [27F2B388DE791F905FA808B89A371191|] Completed GET 403 /api/objects/packetfilter/nat/ in 7.83674ms
2019:05:30-11:14:54 fw restd[4530]: [0801D32C9F0A12E98C7D7CECF0993E4C|] [ConfdHelper] Reusing session: <username> (hNeIPKCOfAkJuaEKxaOx@192.168.34.202)
2019:05:30-11:14:54 fw restd[4530]: [0801D32C9F0A12E98C7D7CECF0993E4C|] confd => [5703] get_SID()
2019:05:30-11:14:54 fw restd[4530]: [0801D32C9F0A12E98C7D7CECF0993E4C|] confd <= [5703] Result: 0
2019:05:30-11:14:54 fw restd[4530]: [0801D32C9F0A12E98C7D7CECF0993E4C|] Started GET /api/objects/packetfilter/nat/
2019:05:30-11:14:54 fw restd[4530]: [0801D32C9F0A12E98C7D7CECF0993E4C|] confd => [5704] get_objects(["packetfilter","nat"])
2019:05:30-11:14:54 fw restd[4530]: [0801D32C9F0A12E98C7D7CECF0993E4C|] confd <= [5704] Result: []
2019:05:30-11:14:54 fw restd[4530]: [0801D32C9F0A12E98C7D7CECF0993E4C|] confd => [5705] err_list()
2019:05:30-11:14:54 fw restd[4530]: [0801D32C9F0A12E98C7D7CECF0993E4C|] confd <= [5705] Result: [{"rights":"ANONYMOUS","attrs":[],"ref":"REF_PacNatAnyFromDevic","name":"Permission denied to read the NAT rule object.","never_hide":0,"msgtype":"OBJECT_LOOKUP_DENY","Oattrs":["class","type"],"format":"Permission denied to read the %_O object.","fatal":1,"class":"packetfilter","type":"nat","perms":"RASMAN,WEBSEC,REPORTAUDITOR,WEBAUDITOR,READONLY,NETAUDITOR,NETSEC,NTTOPERATOR,SUPERADMIN"}]
2019:05:30-11:14:54 fw restd[4530]: [0801D32C9F0A12E98C7D7CECF0993E4C|] Completed GET 403 /api/objects/packetfilter/nat/ in 8.495869ms
```
 
Any hints as to what I am missing are highly appreciated! 
 
Nota bene: in the end, I want to deactivate WAN access to WebAdmin / Api and want to use it locally or via VPN only.


This thread was automatically locked due to age.
  • 0

    OK, seems as though I am not fully understanding under which circumstances access is being blocked... 

    After a logout from the Api webinterface and a re-login, it now also works locally... I am not quite sure what that means and in which log I can see or where I can overrule such a blocking yet; perhaps someone has some input to this?

Unfiltered HTML