topic Re: API for clearing session in General Topics

API for clearing session

Roby_Sreejith — Wed, 21 Dec 2016 10:07:35 GMT

Can some one share some light on creating some API to do below steps:

1) identify an application or port ( for ex: 5555 or backup app) when this traffic apprears on one egress interface , need to clear the sesion for this specified traffic.

( situation: we use PBF for soem traffic to choose one path and when that line down , this traffic takes normal routing path. Even after our PBF line comes up, this will continue taking routing path untill we manually clear it)

Re: API for clearing session

BPry — Wed, 21 Dec 2016 15:04:17 GMT

When your clearing session info you can't filter specifically by egress interface like you would with the show command, you are going to need to filter by hw-interface.

The request would look something like

https://firewall/api/?type=op&cmd=<clear><session><all><filter><hw-interface>ethernet1/2</hw-interface><destination-port>5555</destination-port></filter></all></session></clear>&key=key

Likewise if you would be looking to clear it with the applicaiton specified you would just want to replace the destination-port information with application.

https://firewall/api/?type=op&cmd=<clear><session><all><filter><hw-interface>ethernet1/2</hw-interface><application>backup</application></filter></all></session></clear>&key=key

Re: API for clearing session

Roby_Sreejith — Wed, 21 Dec 2016 16:24:36 GMT

Thank you for the reply.

In my case both egress interfaces are part of one main interface.

for ex: PBF egress interface ether 1/5.1

Routing table egress interface ethernet 1/5.2

So only API with egress interface commnad is required

Re: API for clearing session

BPry — Wed, 21 Dec 2016 16:55:43 GMT

Why don't you just clear based by the pbf rule? You can filter by the pbf-rule name and clear all sessions related to that pbf-rule. I can't recall what the actual xpath would be for it, but if you debug cli on and then run the command it will spit out the xpath that you need.

Also I'm pretty sure the hw-interface can be sub-interfaces perfectly fine; when you are clearing session info the only filters that you have access to are listed below. Notice that egress and ingress options are not available when clearing, only when you are running the show command do you gain those options again.

+ application Application name
+ destination destination IP address
+ destination-port Destination port
+ destination-user Destination user
+ dos-rule DoS protection rule name
+ from From zone
+ hw-interface hardware interface
+ min-kb minimum KB of byte count
+ nat If session is NAT
+ nat-rule NAT rule name
+ pbf-rule Policy-Based-Forwarding rule name
+ protocol IP protocol value
+ qos-class QoS class
+ qos-node-id QoS node-id value
+ qos-rule QoS rule name
+ rule Security rule name
+ source source IP address
+ source-port Source port
+ source-user Source user
+ ssl-decrypt session is decrypted
+ state flow state
+ to To zone
+ type flow type
+ vsys-name vsys-name
<Enter> Finish input

Re: API for clearing session

Roby_Sreejith — Thu, 29 Dec 2016 12:46:03 GMT

Unfortunately the preferred path one PBF rule.

However when that ISP is down it will choose the default route in Virtual router.

So I can not clear by PBF rule