Rule creation/modification dates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Rule creation/modification dates

L1 Bithead

I'm writing a script to alert when a new MAC address is seen for an IP address that's listed in an Internet-facing rule. I have it working pretty well, but I want to avoid alerting on rules that are themselves new. I'm calling the API via /config/devices/entry/vsys/entry/rulebase/security/rules, but the data I get back doesn't include any creation/modification date information. Is there a way to get that information via the API? Thanks.

1 REPLY 1

L4 Transporter

From my understanding, the only way to glean this information would be from the config audit versions (/api/?type=op&cmd=<show><config><audit></audit></config></show>). However, looping through each of these every time would add a lot of complexity to your script, and you may not have the config version where the last change to the firewall was made.

 

Have you considered writing the creation/modification dates to the description field and then using logic to base rules to alert on on the description field?

  • 2785 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!