topic Re: Clarification on ZBFW Viptela API Endpoints in Network Platform API

Clarification on ZBFW Viptela API Endpoints

akshayaravi — Fri, 26 May 2023 21:27:36 GMT

Hello!

I am trying to write a script to create/update zone based firewall using Viptela API. Since the API documentation is incomplete, I would like to know a couple of details

1. For POST /template/policy/definition/zonebasedfw/preview,
I would like to know about the format of the required json data.

2. Regarding PUT /template/policy/definition/zonebasedfw/{policyID}

I understand that this API endpoint is used to both create and edit definitions for a given policyID.
Is it correct to understand that when creating a new definition, the json body does not include a sequence ID, and when editing an existing definition, the sequence ID is specified?

Thanks!

Re: Clarification on ZBFW Viptela API Endpoints

bigevilbeard — Mon, 15 May 2023 06:16:47 GMT

Thats typically how policy's work yes. I would also cross post this HERE

Re: Clarification on ZBFW Viptela API Endpoints

akshayaravi — Mon, 15 May 2023 08:10:41 GMT

Thanks for the confirmation.

I would appreciate if I could get an example json body that can be used with the POST /template/policy/definition/zonebasedfw/preview.

Re: Clarification on ZBFW Viptela API Endpoints

bigevilbeard — Mon, 15 May 2023 09:54:31 GMT

Never seen an example of this, i would test this via the UI and capture the payload via developer tools in Chrome to be sure what is being sent.

Hope this helps.

Re: Clarification on ZBFW Viptela API Endpoints

bigevilbeard — Tue, 16 May 2023 09:59:33 GMT

@akshayaravi i had a dig around some old code i had and found this, the template defines a zone-based firewall policy that allows all traffic between hosts in the same zone and denies all traffic to the untrusted zone.

Hope this helps.

{ "name": "Zone-Based Firewall Preview", "description": "This template defines a zone-based firewall policy.", "zones": [ { "name": "Trusted", "description": "This zone represents trusted traffic.", "subnets": [ "10.0.0.0/8" ] }, { "name": "Untrusted", "description": "This zone represents untrusted traffic.", "subnets": [ "0.0.0.0/0" ] } ], "rules": [ { "name": "Allow All Internal Traffic", "description": "This rule allows all traffic between hosts in the same zone.", "source_zone": "Trusted", "destination_zone": "Trusted", "action": "ALLOW" }, { "name": "Deny All Traffic to Untrusted Zone", "description": "This rule denies all traffic to the untrusted zone.", "source_zone": "*", "destination_zone": "Untrusted", "action": "DENY" } ] }

Re: Clarification on ZBFW Viptela API Endpoints

akshayaravi — Wed, 17 May 2023 02:12:36 GMT

Thank you for the reply! I guess I get an outline of what can be used as the body. I'll try out variations of this.

And sorry for lot of questions, but again I have a clarification around PUT /template/policy/definition/zonebasedfw/{policyID} endpoint.

In case I use this API endpoint to create a new definition for a given policyID and I want to insert this new definition in between the existing order of rules instead of adding it at the end. (I assume there is an order of evaluation)

For example, I want to add it in between the current seq 31 rule and seq 41 rule. (This would mean sequence id's of all rules below the new rule would change)

How would I go about implementing this via API ?

Re: Clarification on ZBFW Viptela API Endpoints

bigevilbeard — Wed, 17 May 2023 12:10:52 GMT

I am not a 100% sure on this, but think it would be as below. I would consider looking at the SDK https://developer.cisco.com/docs/sdwan/#!overview

{ "name": "My Policy", "description": "This policy allows all traffic between the in and out zones, and then denies all traffic between the in and dmz zones", "zones": [ { "name": "in", "type": "in" }, { "name": "out", "type": "out" }, { "name": "dmz", "type": "dmz" } ], "services": [], "action": "allow", "sequences": [ { "sequence": 32, "zones": [ { "name": "in", "type": "in" }, { "name": "out", "type": "out" } ], "services": [], "action": "allow" }, { "sequence": 33, "zones": [ { "name": "in", "type": "in" }, { "name": "dmz", "type": "dmz" } ], "services": [], "action": "deny" } ] }