cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
813
Views
1
Helpful
6
Replies

Clarification on ZBFW Viptela API Endpoints

akshayaravi
Level 1
Level 1

Hello!

I am trying to write a script to create/update zone based firewall using Viptela API. Since the API documentation is incomplete, I would like to know a couple of details 

1. For POST /template/policy/definition/zonebasedfw/preview,
I would like to know about the format of the required json data.


2. Regarding PUT /template/policy/definition/zonebasedfw/{policyID}

I understand that this API endpoint is used to both create and edit definitions for a given policyID.
Is it correct to understand that when creating a new definition, the json body does not include a sequence ID, and when editing an existing definition, the sequence ID is specified?

Thanks!

6 Replies 6

Thats typically how policy's work yes. I would also cross post this HERE 

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Thanks for the confirmation. 

I would appreciate if I could get an example json body that can be used with the POST /template/policy/definition/zonebasedfw/preview. 

Never seen an example of this, i would test this via the UI and capture the payload via developer tools in Chrome to be sure what is being sent.

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

@akshayaravi i had a dig around some old code i had and found this, the template defines a zone-based firewall policy that allows all traffic between hosts in the same zone and denies all traffic to the untrusted zone.

Hope this helps.

{
  "name": "Zone-Based Firewall Preview",
  "description": "This template defines a zone-based firewall policy.",
  "zones": [
    {
      "name": "Trusted",
      "description": "This zone represents trusted traffic.",
      "subnets": [
        "10.0.0.0/8"
      ]
    },
    {
      "name": "Untrusted",
      "description": "This zone represents untrusted traffic.",
      "subnets": [
        "0.0.0.0/0"
      ]
    }
  ],
  "rules": [
    {
      "name": "Allow All Internal Traffic",
      "description": "This rule allows all traffic between hosts in the same zone.",
      "source_zone": "Trusted",
      "destination_zone": "Trusted",
      "action": "ALLOW"
    },
    {
      "name": "Deny All Traffic to Untrusted Zone",
      "description": "This rule denies all traffic to the untrusted zone.",
      "source_zone": "*",
      "destination_zone": "Untrusted",
      "action": "DENY"
    }
  ]
}

 

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Thank you for the reply! I guess I get an outline of what can be used as the body. I'll try out variations of this.

And sorry for lot of questions, but again I have a clarification around PUT /template/policy/definition/zonebasedfw/{policyID} endpoint.

In case I use this API endpoint to create a new definition for a given policyID and I want to insert this new definition in between the existing order of rules instead of adding it at the end. (I assume there is an order of evaluation)

For example, I want to add it in between the current seq 31 rule and seq 41 rule. (This would mean sequence id's of all rules below the new rule would change)

How would I go about implementing this via API ?

I am not a 100% sure on this, but think it would be as below. I would consider looking at the SDK https://developer.cisco.com/docs/sdwan/#!overview

{
  "name": "My Policy",
  "description": "This policy allows all traffic between the in and out zones, and then denies all traffic between the in and dmz zones",
  "zones": [
    {
      "name": "in",
      "type": "in"
    },
    {
      "name": "out",
      "type": "out"
    },
    {
      "name": "dmz",
      "type": "dmz"
    }
  ],
  "services": [],
  "action": "allow",
  "sequences": [
    {
      "sequence": 32,
      "zones": [
        {
          "name": "in",
          "type": "in"
        },
        {
          "name": "out",
          "type": "out"
        }
      ],
      "services": [],
      "action": "allow"
    },
    {
      "sequence": 33,
      "zones": [
        {
          "name": "in",
          "type": "in"
        },
        {
          "name": "dmz",
          "type": "dmz"
        }
      ],
      "services": [],
      "action": "deny"
    }
  ]
}

 

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io