Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 3301 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to use curl to add packet filter rules (via Fail2ban)

jlbrown

I want to use Fail2ban to add & subtract IPs from Sophos's Firewall.

I've looked that the API documentation at https://www.sophos.com/en-us/medialibrary/PDFs/documentation/UTMonAWS/Sophos-UTM-RESTful-API.pdf and curl example in section 6.1 looks like the way to go.

curl -X POST --header 'Content-Type: application/json' \ --header 'Accept: text/json' \
--header 'X-RESTD-SESSION: close' \
--header 'X-RESTD-INSERT: packetfilter.rules' \

--header 'Authorization: Basic YWRtaW46cHBwcA==' \ -d '{"action":"accept", "destinations":["REF_NetworkAny"], "direction":"in",

"log":true,
"services":["REF_ServiceAny"],
"sources":["REF_NetworkAny"],
"status":true}' \
'https://<UTM IP>:4444/api/objects/packetfilter/packetfilter/'

 In that example, where would I put the IP to block?

Is there a better way to do this?

Has anyone managed to use Fail2ban with Sophos UTM?

Thanks, James.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson

    Hi Bob. I've made some progress on this. Tech Support said that first you need to use the API to create the Host (ie the IP you want to block). Then you use the API to create the packet filter (firewall) rule, referencing that host.

    Reading the section 5 of the documentation I found the Swagger interface - just go to  https://ip_address_of_ UTM:4444/api/ and you can find all that the API can do. It is fantastic. This is how I was able to create the Network Host object in the UTM.

    I created a firewall rule in the UTM's web GUI with Source being a Network Group that I'd created. The idea is that after I've created the Network Host using the API, I'd use the API to tell put it in the Network Group.

    This way I'd just have one Firewall Rule.

    Unfortunately I've spent all afternoon looking, but I can't see anyway to add a Network Host to a Network Group using the API.

    So that's what I'm stuck on at the moment.

    James.

  • +1 in reply to jlbrown

    Well, finally got it to work! After spending all day with much trial & error, I worked out the syntax. Basically, the Swagger UI lies about what you can do with POST, PUT & PATCH commands. You can write to all the fields, not just the 'comment' and 'name' fields.

    So, to add the Host with reference "REF_NetHos1918811671 (IP of 191.101.167.14) to the Network Group with ref "REF_NetGroBanneIpsFail2" I used:

    % curl -X PATCH --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic SmZXCvbnNMJHxMjM=' -d '{"comment":"Test","name":"","members":["REF_NetHos1911011671"]}' 'my.sophos.utm.address:4445/.../REF_NetGroBanneIpsFail2' 

    and output returned was:

    {

      "_locked": "",

      "_ref": "REF_NetGroBanneIpsFail2",

      "_type": "network/group",

      "comment": "Test",

      "members": [

        "REF_NetHos1911011671"

      ],

      "name": "191.101.167.14",

      "types": [

        "host"

      ]

    }%    

    So very relieved to get that working.

    Now my issue is that this curl command will overwrite what is already there. Ie if the Network Group already has a few Hosts as members they will be removed with this curl command - its only member would be 191.101.167.14