topic Re: Security Rule API in Automation/API Discussions

Security Rule API

Ntripp — Wed, 10 Jan 2018 18:16:00 GMT

I've got a powershell script working that copies my security rules from one device to another but I need to control the order that they are inserted at the destination. I haven't been able to find this in the API browser or other examples. Does anyone know how to get the rule number or order? Or on the insert side?

Re: Security Rule API

nigelswift — Wed, 10 Jan 2018 19:54:28 GMT

Are you doing the rules one by one, or all the rules at once? If you use the following call, you could retain the order of the entire rulebase and use indexing in your logic.

/api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security

The other thing that comes to mind is the action=move call on the configuration like so:

/api/?type=config&action=move&xpath=/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='rule1']&where=after&dst=rule2

Re: Security Rule API

Ntripp — Wed, 10 Jan 2018 21:11:20 GMT

I'm pulling them with that xpath:

but then I have to loop through the elements to push them:

"?type=config&action=show&key="+ $key + "&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/vsys/entry/rulebase/security"

foreach ($k in ($rules.response.Selectnodes("//entry[@name]"))){

$uri = $papa + "?type=config&action=set&key=" + $key + "&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='" +$k.name+']' + "&xpath-value&element=" + $k.InnerXml
invoke-webrequest -uri $uri
}

is there a way to bulk load them? This was the only way I could make the xml usable to push into the other device.

Re: Security Rule API

nigelswift — Thu, 11 Jan 2018 14:22:06 GMT

Yes. This is what the first call I supplied does. If you do a get just for the rulebase and then a set of the same xml at the rulebase xpath with the element that you pass, you should be able to move over the entire rulebase.

Re: Security Rule API

Ntripp — Fri, 19 Jan 2018 18:12:29 GMT

I was able to get the whole rulebase which is the command you supplied (I was already doing that). I was not able to push them all at once and required looping through. Did you have the xpath for set an entire rulebase?

What I plan to do is is add tags to the rules add and move them. Seems like there should be a function for rule order placement on the set instead of adding then moving but this is all I have been able to find so far.