I'm writing a script to alert when a new MAC address is seen for an IP address that's listed in an Internet-facing rule. I have it working pretty well, but I want to avoid alerting on rules that are themselves new. I'm calling the API via /config/devices/entry/vsys/entry/rulebase/security/rules, but the data I get back doesn't include any creation/modification date information. Is there a way to get that information via the API? Thanks.
From my understanding, the only way to glean this information would be from the config audit versions (/api/?type=op&cmd=<show><config><audit></audit></config></show>). However, looping through each of these every time would add a lot of complexity to your script, and you may not have the config version where the last change to the firewall was made.
Have you considered writing the creation/modification dates to the description field and then using logic to base rules to alert on on the description field?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!