- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-02-2022 12:52 PM
I am trying to add a Zone Protection Profile from an XML document to a firewall using the XPath API. I don't want to have to iterate through each element and add it to the profile. Is there a way to add it from an XML file or block?
def add_dos_profile(self):
ret = True
with open("DOS.xml") as f:
element = f.read()
api_url = "https://" + self.host + "/api/? type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/dns-proxy&element=" + element
try:
response = requests.get(api_url, params=self.location, verify=False, headers=self.api_headers)
print("response")
print(response)
if response.status_code == 200:
if ret != False:
ret = True
else:
ret = False
except:
print("ERROR add_dos_profile : connetcting to host. ")
sys.exit(0)
return ret
Here is the XML file:
<entry name="ZPP-3">
<flood>
<tcp-syn>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</tcp-syn>
<udp>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</udp>
<icmp>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</icmp>
<icmpv6>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</icmpv6>
<other-ip>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</other-ip>
</flood>
<ipv6>
<filter-ext-hdr>
<hop-by-hop-hdr>yes</hop-by-hop-hdr>
<routing-hdr>yes</routing-hdr>
<dest-option-hdr>yes</dest-option-hdr>
</filter-ext-hdr>
<ignore-inv-pkt>
<dest-unreach>yes</dest-unreach>
<pkt-too-big>yes</pkt-too-big>
<time-exceeded>yes</time-exceeded>
<param-problem>yes</param-problem>
<redirect>yes</redirect>
</ignore-inv-pkt>
<ipv4-compatible-address>yes</ipv4-compatible-address>
<anycast-source>yes</anycast-source>
<icmpv6-too-big-small-mtu-discard>yes</icmpv6-too-big-small-mtu-discard>
<options-invalid-ipv6-discard>yes</options-invalid-ipv6-discard>
<reserved-field-set-discard>yes</reserved-field-set-discard>
</ipv6>
<scan>
<entry name="8001">
<action>
<block/>
</action>
<interval>2</interval>
<threshold>100</threshold>
</entry>
<entry name="8002">
<action>
<block/>
</action>
<interval>10</interval>
<threshold>100</threshold>
</entry>
<entry name="8003">
<action>
<block/>
</action>
<interval>2</interval>
<threshold>100</threshold>
</entry>
</scan>
<discard-ip-spoof>yes</discard-ip-spoof>
<discard-strict-source-routing>yes</discard-strict-source-routing>
<discard-loose-source-routing>yes</discard-loose-source-routing>
<discard-timestamp>yes</discard-timestamp>
<discard-unknown-option>yes</discard-unknown-option>
<discard-malformed-option>yes</discard-malformed-option>
<discard-overlapping-tcp-segment-mismatch>yes</discard-overlapping-tcp-segment-mismatch>
<tcp-reject-non-syn>yes</tcp-reject-non-syn>
<remove-tcp-timestamp>yes</remove-tcp-timestamp>
<discard-icmp-ping-zero-id>yes</discard-icmp-ping-zero-id>
<discard-icmp-frag>yes</discard-icmp-frag>
<discard-icmp-large-packet>yes</discard-icmp-large-packet>
<suppress-icmp-timeexceeded>yes</suppress-icmp-timeexceeded>
<suppress-icmp-needfrag>yes</suppress-icmp-needfrag>
<description>Created by Scrip</description>
<asymmetric-path>bypass</asymmetric-path>
<discard-icmp-error>yes</discard-icmp-error>
</entry>
01-09-2023 08:17 AM
You could use "load config partial" via the API?
First upload the XML snippet file (DOS.xml): https://{{host}}/api?key={{key}}&type=import&category=configuration, passing in the XML file as form-data
Second, load the XML as "partial config": https://{{host}}/api?key={{key}}&type=op&cmd=<load><config><partial><mode>append</mode><from-xpath>entry</from-xpath><to-xpath>/config/devices/entry[@name="localhost.localdomain"]/network/profiles/zone-protection-profile</to-xpath><from>DOS.xml</from></partial></config></load>
Hope that helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!