Create a new Zone Protection Profile using XPath?

JBishop — Fri, 02 Dec 2022 20:52:25 GMT

I am trying to add a Zone Protection Profile from an XML document to a firewall using the XPath API. I don't want to have to iterate through each element and add it to the profile. Is there a way to add it from an XML file or block?

def add_dos_profile(self):

ret = True

with open("DOS.xml") as f:
element = f.read()

api_url = "https://" + self.host + "/api/? type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/dns-proxy&element=" + element

try:
response = requests.get(api_url, params=self.location, verify=False, headers=self.api_headers)

print("response")
print(response)
if response.status_code == 200:
if ret != False:
ret = True
else:
ret = False

except:
print("ERROR add_dos_profile : connetcting to host. ")
sys.exit(0)

return ret

Here is the XML file:

<entry name="ZPP-3">
<flood>
<tcp-syn>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</tcp-syn>
<udp>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</udp>
<icmp>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</icmp>
<icmpv6>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</icmpv6>
<other-ip>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</other-ip>
</flood>
<ipv6>
<filter-ext-hdr>
<hop-by-hop-hdr>yes</hop-by-hop-hdr>
<routing-hdr>yes</routing-hdr>
<dest-option-hdr>yes</dest-option-hdr>
</filter-ext-hdr>
<ignore-inv-pkt>
<dest-unreach>yes</dest-unreach>
<pkt-too-big>yes</pkt-too-big>
<time-exceeded>yes</time-exceeded>
<param-problem>yes</param-problem>
<redirect>yes</redirect>
</ignore-inv-pkt>
<ipv4-compatible-address>yes</ipv4-compatible-address>
<anycast-source>yes</anycast-source>
<icmpv6-too-big-small-mtu-discard>yes</icmpv6-too-big-small-mtu-discard>
<options-invalid-ipv6-discard>yes</options-invalid-ipv6-discard>
<reserved-field-set-discard>yes</reserved-field-set-discard>
</ipv6>
<scan>
<entry name="8001">
<action>
<block/>
</action>
<interval>2</interval>
<threshold>100</threshold>
</entry>
<entry name="8002">
<action>
<block/>
</action>
<interval>10</interval>
<threshold>100</threshold>
</entry>
<entry name="8003">
<action>
<block/>
</action>
<interval>2</interval>
<threshold>100</threshold>
</entry>
</scan>
<discard-ip-spoof>yes</discard-ip-spoof>
<discard-strict-source-routing>yes</discard-strict-source-routing>
<discard-loose-source-routing>yes</discard-loose-source-routing>
<discard-timestamp>yes</discard-timestamp>
<discard-unknown-option>yes</discard-unknown-option>
<discard-malformed-option>yes</discard-malformed-option>
<discard-overlapping-tcp-segment-mismatch>yes</discard-overlapping-tcp-segment-mismatch>
<tcp-reject-non-syn>yes</tcp-reject-non-syn>
<remove-tcp-timestamp>yes</remove-tcp-timestamp>
<discard-icmp-ping-zero-id>yes</discard-icmp-ping-zero-id>
<discard-icmp-frag>yes</discard-icmp-frag>
<discard-icmp-large-packet>yes</discard-icmp-large-packet>
<suppress-icmp-timeexceeded>yes</suppress-icmp-timeexceeded>
<suppress-icmp-needfrag>yes</suppress-icmp-needfrag>
<description>Created by Scrip</description>
<asymmetric-path>bypass</asymmetric-path>
<discard-icmp-error>yes</discard-icmp-error>
</entry>

Re: Create a new Zone Protection Profile using XPath?

JimmyHolland — Mon, 09 Jan 2023 16:17:57 GMT

You could use "load config partial" via the API?

First upload the XML snippet file (DOS.xml): https://{{host}}/api?key={{key}}&type=import&category=configuration, passing in the XML file as form-data

Second, load the XML as "partial config": https://{{host}}/api?key={{key}}&type=op&cmd=<load><config><partial><mode>append</mode><from-xpath>entry</from-xpath><to-xpath>/config/devices/entry[@name="localhost.localdomain"]/network/profiles/zone-protection-profile</to-xpath><from>DOS.xml</from></partial></config></load>

Hope that helps

topic Create a new Zone Protection Profile using XPath? in Automation/API Discussions

Create a new Zone Protection Profile using XPath?

Re: Create a new Zone Protection Profile using XPath?