In one of our firewalls we have zone A which has network x.x.x.x/24, and zone B which has network y.y.y.y/24. There is a rule allowing traffic between them. Some high-ranking people at my company need to be able to block this traffic automatically at any time. I wrote a powershell script which is triggered by the incident management system when an authorized person submits a ticket. The PS script uses the API to disable the rule that allows the traffic and then do a commit. It works, but ideally I'd like to use something that does not require a commit. I read about dynamic ip address & tag registration via xml api and I want to use this method to populate a dynamic address group, and use that group in a deny rule above the allow rule. The match criteria for the address group will be dynamic tag "blockme"; the api will add tag "blockme" to x.x.x.x/24, that address will get added to the dynamic address group, and access will be blocked. I got it to work but it appears that I can only register one ip address per command (versus x.x.x.x/24). The command I am using in the PS script is: $AddTag=Invoke-RestMethod -uri "https://<firewall>/api/?type=user-id&command=<uid-message><type>update</type><payload><register><entry ip=`"x.x.x.x`"><tag><member>blockme</member></tag></entry></register></payload></uid-message>&key=$key" Is this possible to do? My attempts have failed and I can't find an example where it's done. If not, then has anyone else had a need to do something similar, and found a better way than what I'm doing? I looked at auto-tagging but it doesn't seem to be a good fit for this situation. The firewall is running 8.1. Thank you for reading.
... View more