Using API to dynamically register and tag -- can IP address be a subnet or only individual address?

Reply
Highlighted
L2 Linker

Using API to dynamically register and tag -- can IP address be a subnet or only individual address?

In one of our firewalls we have zone A which has network x.x.x.x/24, and zone B which has network y.y.y.y/24. There is a rule allowing traffic between them. Some high-ranking people at my company need to be able to block this traffic automatically at any time.  I wrote a powershell script which is triggered by the incident management system when an authorized person submits a ticket.  The PS script uses the API to disable the rule that allows the traffic and then do a commit. It works, but ideally I'd like to use something that does not require a commit.

 

I read about dynamic ip address & tag registration via xml api and I want to use this method to populate a dynamic address group, and use that group in a deny rule above the allow rule. The match criteria for the address group will be dynamic tag "blockme"; the api will add tag "blockme" to x.x.x.x/24, that address will get added to the dynamic address group, and access will be blocked. I got it to work but it appears that I can only register one ip address per command (versus x.x.x.x/24).  

 

The command I am using in the PS script is:

$AddTag=Invoke-RestMethod -uri "https://<firewall>/api/?type=user-id&command=<uid-message><type>update</type><payload><register><entry ip=`"x.x.x.x`"><tag><member>blockme</member></tag></entry></register></payload></uid-message>&key=$key"

 

Is this possible to do?  My attempts have failed and I can't find an example where it's done.  If not, then has anyone else had a need to do something similar, and found a better way than what I'm doing? I looked at auto-tagging but it doesn't seem to be a good fit for this situation.   

 

The firewall is running 8.1.  Thank you for reading.

Highlighted
Cyber Elite

Re: Using API to dynamically register and tag -- can IP address be a subnet or only individual addre

@alterioc,

Because you are utilizing user-id  to accomplish this, you'll only ever be able to utilize this via a single IP address at a time. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!