08-23-2019 07:18 AM
I'd like to create a script or some kind of quick method to disable a PBF rule. We have a dual-ISP setup, and sometimes one ISP will get extremely slow. But it doesn't actually go down, so it doesn't trigger the PBF rule, and we're left with nearly unusable internet.
As the only "firewall guy", they basically have to wait on me to disable a PBF rule. Is there a way to script this?
08-23-2019 12:08 PM - edited 08-23-2019 12:11 PM
The firewall includes a fairly decent browser that follows the CLI, so PBF would start at the following API URL
/api/?type=config&action=gest&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/pbf/rules
So you would then set this to disabled by sending the following
/api/?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/pbf/rules/entry[@name='Test-PBF']&element=<disabled>yes</disabled>&key=APIKEY
Just to make it clear, you would want a way to obsficate your API Key so that your help desk doesn't actually get to see what it is, otherwise they would have the same permissions as whatever account the key was generated under. You could then utilize something like RunDeck to actually get them to run a script without opening up the management interface to all of your helpdesk users.
08-23-2019 09:13 AM
Hello,
Might be possible via the API. However gertting better ISP's might be worth looking into as well.
Regards,
08-23-2019 09:16 AM
@OtakarKlier wrote:However gertting better ISP's might be worth looking into as well.
How does the saying go... "A general goes to war with the army he has"
08-23-2019 10:32 AM
This is an extremely good use case of the API.
Bonus Points: If you configure a machine so that it can utilize both ISP circuits (through two NICs or VLAN setup) you could actually automate testing the circuits and automatically enable/disable the PBF rule on the firewall once bandwidth is within expected norms. This would take any manual interaction requirements out completely.
08-23-2019 11:02 AM
@BPry wrote:This is an extremely good use case of the API.
Bonus Points: If you configure a machine so that it can utilize both ISP circuits (through two NICs or VLAN setup) you could actually automate testing the circuits and automatically enable/disable the PBF rule on the firewall once bandwidth is within expected norms. This would take any manual interaction requirements out completely.
So I looked over the API documentation, and I do see one for PBF rules. I've never used REST API though, so I guess it's time for a crash course. Any advise on where to start?
08-23-2019 12:08 PM - edited 08-23-2019 12:11 PM
The firewall includes a fairly decent browser that follows the CLI, so PBF would start at the following API URL
/api/?type=config&action=gest&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/pbf/rules
So you would then set this to disabled by sending the following
/api/?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/pbf/rules/entry[@name='Test-PBF']&element=<disabled>yes</disabled>&key=APIKEY
Just to make it clear, you would want a way to obsficate your API Key so that your help desk doesn't actually get to see what it is, otherwise they would have the same permissions as whatever account the key was generated under. You could then utilize something like RunDeck to actually get them to run a script without opening up the management interface to all of your helpdesk users.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
