API or SSH for greatest longevity and compatibility for Gen6/7
Overflow2021
Newbie ✭
Greetings,
I would like to manage my firewalls programmatically. I have a mix of Gen 6 and Gen 7 devices in the TZ / NSA line. What method would you recommend I use, the API or sending commands via SSH?
- I want to write one set of instructions for any Sonicwall Firewall Gen 6 or Gen 7.
- I want to make sure the code I write is supported for a long time.
- If there is no difference with the above requirements, is one method faster than the other? Is one method less error prone?
Category: Developer Hub
0
Best Answer
-
CORRECT ANSWER
Jaime
SonicWall Employee
Hi @Overflow2021,
There are some differences between Gen6 and Gen7 in both the API and the CLI, so writing a single set of instructions for all firewalls may not be 100% possible without some additional logic to account for those situations. Some CLI commands are different between Gen6/Gen7, and many API endpoints available in Gen7 do not exist in Gen6.
You might be interested in this: https://github.com/jaimeesc/snwl-serial-commands even if it isn't for your specific use case.
0
Answers
Good day @Overflow2021
My recommendation is to use SonicOS API. Documentation is available on SonicWall.com -> Support -> Technical Documentation.
Based on your requirements I would suggest to check if the APIs you are intending to use, are available on the Gen6.
@MustafaA Can you tell me why I would use the API over CLI?
Does the API provide management commands that are not found in CLI management? I was expecting you to say CLI because the same commands work on 6/7.
Thanks for your feedback! I appreciate you.
@Overflow2021
Does the API provide management commands that are not found in CLI management? I was expecting you to say CLI because the same commands work on 6/7.
The SonicWall CLI options are very comprehensive and from the functional perspective you can fully manage the firewall via the CLI commands as you can do via the API calls.
Can you tell me why I would use the API over CLI?
REST APIs are the de-facto standard and there are many libraries available for all popular programming languages. You don't have to do the low level data parsing etc. and you can easily convert the data into JSON objects which gives you the ease of manipulating the data. My personal view is that the API data is more structured and easier to process.
You can do that with APIs for sure. If you write your code in a scalable way, it is just a repetition of the same calls to different firewalls in a loop. Let me give you an example. The following is a resent small utility that I wrote to ADD, DELETE, UPDATE Address Objects and Service Objects. If I want to deploy the same context to 100 firewalls, all I need is an array of firewall parameters and change the main method having a for loop, and that's all.
In the end, it comes down to what you want to accomplish and which path you are feeling more comfortable that requires little or no learning curve.