https://community.cisco.com/t5/network-access-control/ise-2-4-ers-api-can-t-seem-to-get-list-of-all-trustsec-sgacls/m-p/3843537#M473622 <P>I've started experimenting with the ERS API to automate some of our ISE deployment tasks.</P><P>We create several SGACLs, one per port (i.e. RDP_TCP_3389) and use those in the Trustsec matrix to allow specific ports between security groups (ie clients to web server etc).</P><P>I can create / POST new SGACLs to our ISE but they do not show up when I do a GET to show them all, there seems to be a limit on the number of SGACLs it will display? The do show up on ISE itself, however, and they are based on working SGACLs with different names and port numbers so it's not invalid or anything. This also happens when I create a new one via ISE and try to pull it via a GET.</P><P>I've tried editing the name of one that does appear in the list (for example adding _TEST to the end of the SGACL name) and it shows up with the edit when I do a GET right after.</P><P>It seems like there's a limit to how many it will show or it stops pulling them after the permit_all, because if I add a SGACL like HTTPS_443 via POST it shows up in a GET, but if I add one like RDP_TCP_3389 it does not show up.</P><P>Anyone else experience this? Any ideas?</P><P>We are on 2.4 Patch 5</P> Wed, 24 Apr 2019 14:40:08 GMT moffman77 2019-04-24T14:40:08Z https://community.cisco.com/t5/network-access-control/ise-2-4-ers-api-can-t-seem-to-get-list-of-all-trustsec-sgacls/m-p/3843537#M473622 <P>I've started experimenting with the ERS API to automate some of our ISE deployment tasks.</P><P>We create several SGACLs, one per port (i.e. RDP_TCP_3389) and use those in the Trustsec matrix to allow specific ports between security groups (ie clients to web server etc).</P><P>I can create / POST new SGACLs to our ISE but they do not show up when I do a GET to show them all, there seems to be a limit on the number of SGACLs it will display? The do show up on ISE itself, however, and they are based on working SGACLs with different names and port numbers so it's not invalid or anything. This also happens when I create a new one via ISE and try to pull it via a GET.</P><P>I've tried editing the name of one that does appear in the list (for example adding _TEST to the end of the SGACL name) and it shows up with the edit when I do a GET right after.</P><P>It seems like there's a limit to how many it will show or it stops pulling them after the permit_all, because if I add a SGACL like HTTPS_443 via POST it shows up in a GET, but if I add one like RDP_TCP_3389 it does not show up.</P><P>Anyone else experience this? Any ideas?</P><P>We are on 2.4 Patch 5</P> Wed, 24 Apr 2019 14:40:08 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-ers-api-can-t-seem-to-get-list-of-all-trustsec-sgacls/m-p/3843537#M473622 moffman77 2019-04-24T14:40:08Z https://community.cisco.com/t5/network-access-control/ise-2-4-ers-api-can-t-seem-to-get-list-of-all-trustsec-sgacls/m-p/3843779#M473625 <P>In Get-All request, you won't get all the ACL in a single page, You have to navigate it to next page to see remaining ACLs.</P><P>Please try this URL&nbsp;<SPAN>https://&lt;ISE-Admin-IP&gt;:9060/ers/config/sgacl?page=2</SPAN></P><P>&nbsp;</P><P>-Aravind</P> Wed, 24 Apr 2019 07:01:59 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-ers-api-can-t-seem-to-get-list-of-all-trustsec-sgacls/m-p/3843779#M473625 Aravind Ravichandran 2019-04-24T07:01:59Z https://community.cisco.com/t5/network-access-control/ise-2-4-ers-api-can-t-seem-to-get-list-of-all-trustsec-sgacls/m-p/3844209#M473628 <P>Thank you</P><P>That's interesting, I suspected something like this at first due to the "nextPage" key at the end but I couldn't figure out how to get to it - is that documented anywhere in the SDK page?</P><P>I would prefer being able to get them all in one request, though</P> Wed, 24 Apr 2019 14:45:51 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-ers-api-can-t-seem-to-get-list-of-all-trustsec-sgacls/m-p/3844209#M473628 moffman77 2019-04-24T14:45:51Z https://community.cisco.com/t5/network-access-control/ise-2-4-ers-api-can-t-seem-to-get-list-of-all-trustsec-sgacls/m-p/3844458#M473630 <P>default is 20 per page, you can set it to a max of 100 with the size=100 parameter in the url, there is no way to get all in one request if you are above 100.</P> Wed, 24 Apr 2019 20:49:53 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-ers-api-can-t-seem-to-get-list-of-all-trustsec-sgacls/m-p/3844458#M473630 jan.nielsen 2019-04-24T20:49:53Z https://community.cisco.com/t5/network-access-control/ise-2-4-ers-api-can-t-seem-to-get-list-of-all-trustsec-sgacls/m-p/3850894#M473632 <P>Got it, thank you - is that documented anywhere? I thought I read the whole API guide hosted on the device but I may have missed that.</P><P>Also, are you able to set the ID of the SGACL? I'm unable to, thought it works with network devices. Not sure if that's intended</P> Mon, 06 May 2019 15:42:22 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-ers-api-can-t-seem-to-get-list-of-all-trustsec-sgacls/m-p/3850894#M473632 moffman77 2019-05-06T15:42:22Z