Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Create a new Zone Protection Profile using XPath?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Create a new Zone Protection Profile using XPath?

L0 Member

I am trying to add a Zone Protection Profile from an XML document to a firewall using the XPath API.  I don't want to have to iterate through each element and add it to the profile.  Is there a way to add it from an XML file or block?

 

 

def add_dos_profile(self):

    ret = True

    with open("DOS.xml") as f:
        element = f.read()

        api_url = "https://" + self.host + "/api/?                 type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/dns-proxy&element=" + element

       try:
            response = requests.get(api_url, params=self.location, verify=False, headers=self.api_headers)

            print("response")
            print(response)
            if response.status_code == 200:
                 if ret != False:
                      ret = True
                else:
                     ret = False

    except:
            print("ERROR add_dos_profile : connetcting to host. ")
            sys.exit(0)

    return ret

 

Here is the XML file:

<entry name="ZPP-3">
<flood>
<tcp-syn>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</tcp-syn>
<udp>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</udp>
<icmp>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</icmp>
<icmpv6>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</icmpv6>
<other-ip>
<red>
<alarm-rate>10000</alarm-rate>
<activate-rate>10000</activate-rate>
<maximal-rate>40000</maximal-rate>
</red>
<enable>yes</enable>
</other-ip>
</flood>
<ipv6>
<filter-ext-hdr>
<hop-by-hop-hdr>yes</hop-by-hop-hdr>
<routing-hdr>yes</routing-hdr>
<dest-option-hdr>yes</dest-option-hdr>
</filter-ext-hdr>
<ignore-inv-pkt>
<dest-unreach>yes</dest-unreach>
<pkt-too-big>yes</pkt-too-big>
<time-exceeded>yes</time-exceeded>
<param-problem>yes</param-problem>
<redirect>yes</redirect>
</ignore-inv-pkt>
<ipv4-compatible-address>yes</ipv4-compatible-address>
<anycast-source>yes</anycast-source>
<icmpv6-too-big-small-mtu-discard>yes</icmpv6-too-big-small-mtu-discard>
<options-invalid-ipv6-discard>yes</options-invalid-ipv6-discard>
<reserved-field-set-discard>yes</reserved-field-set-discard>
</ipv6>
<scan>
<entry name="8001">
<action>
<block/>
</action>
<interval>2</interval>
<threshold>100</threshold>
</entry>
<entry name="8002">
<action>
<block/>
</action>
<interval>10</interval>
<threshold>100</threshold>
</entry>
<entry name="8003">
<action>
<block/>
</action>
<interval>2</interval>
<threshold>100</threshold>
</entry>
</scan>
<discard-ip-spoof>yes</discard-ip-spoof>
<discard-strict-source-routing>yes</discard-strict-source-routing>
<discard-loose-source-routing>yes</discard-loose-source-routing>
<discard-timestamp>yes</discard-timestamp>
<discard-unknown-option>yes</discard-unknown-option>
<discard-malformed-option>yes</discard-malformed-option>
<discard-overlapping-tcp-segment-mismatch>yes</discard-overlapping-tcp-segment-mismatch>
<tcp-reject-non-syn>yes</tcp-reject-non-syn>
<remove-tcp-timestamp>yes</remove-tcp-timestamp>
<discard-icmp-ping-zero-id>yes</discard-icmp-ping-zero-id>
<discard-icmp-frag>yes</discard-icmp-frag>
<discard-icmp-large-packet>yes</discard-icmp-large-packet>
<suppress-icmp-timeexceeded>yes</suppress-icmp-timeexceeded>
<suppress-icmp-needfrag>yes</suppress-icmp-needfrag>
<description>Created by Scrip</description>
<asymmetric-path>bypass</asymmetric-path>
<discard-icmp-error>yes</discard-icmp-error>
</entry>

1 REPLY 1

L5 Sessionator

You could use "load config partial" via the API?

 

First upload the XML snippet file (DOS.xml): https://{{host}}/api?key={{key}}&type=import&category=configuration, passing in the XML file as form-data

Second, load the XML as "partial config": https://{{host}}/api?key={{key}}&type=op&cmd=<load><config><partial><mode>append</mode><from-xpath>entry</from-xpath><to-xpath>/config/devices/entry[@name="localhost.localdomain"]/network/profiles/zone-protection-profile</to-xpath><from>DOS.xml</from></partial></config></load>

 

Hope that helps

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
  • 1302 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!