Sonic OS API on creating access rule. I am getting E_NO_MATCH error.
gyalpo
Newbie ✭
I am trying to create a deny access rule from WAN to LAN. I have already create an object called 'test-rojin' with the appropriate ip. When i try to create the access rule through this JSON body:
{
"access_rules": [
{
"ipv4": {
"from": "WAN",
"to": "LAN",
"action": "deny",
"source": {
"address": {
"name": "test-rojin"
},
"port": {
"any": true
}
},
"service": {
"any": true
},
"destination": {
"address": {
"any": true
}
},
"schedule": {
"always_on": true
},
"users": {
"included": {
"all": true
},
"excluded": {
"none": true
}
},
"name": "test-rule-rojin",
"comment": "just-testing",
"enable": true,
"reflexive": true,
"max_connections": 100,
"logging": true,
"management": true,
"packet_monitoring": true,
"priority": {
"auto": true
},
"tcp": {
"timeout": 30
},
"udp": {
"timeout": 30
},
"fragments": true,
"botnet_filter": true,
"connection_limit": {
"destination": {
"threshold": {
"value": 100
}
},
"source": {
"threshold": {
"value": 100
}
}
},
"flow_reporting": true,
"geo_ip_filter": {
"enable": true
},
"single_sign_on": true,
"cos_override": true,
"quality_of_service": {
"class_of_service": {
"explicit": "excellent-effort"
},
"dscp": {
"explicit": {
"value": 46
}
}
}
}
}
]
}
I am getting the following error
{
"status": {
"success": false,
"cli": {
"mode": "config_mode",
"depth": 1,
"command": "access-rule ipv4 from WAN to LAN action deny source address group test-rojin port any service any destination address any schedule always-on",
"configuring": true,
"pending_config": false,
"restart_required": "FALSE"
},
"info": [
{
"level": "error",
"code": "E_NO_MATCH",
"message": "Command 'access-rule ipv4 from WAN to LAN action deny source address group test-rojin port any service any destination address any schedule always-on' does not match"
}
]
}
}
I don't understand what i am doing wrong. Could anyone give some insight? Thank you!
Answers
@gyalpo , which HTTP method did you use (i.e. POST, PUT, PATCH)? Also, which end point did you use?
@MustafaA i used POST on the endpoint /api/sonicos/access-rules/ipv4
Forgot to ask - What firewall model and firmware are you using?
@MustafaA i am using Sonicwall NSv Version: 7.0.1.
I think you don't have the Address Object "test-rojin" created on your firewall. That needs to exist, since you are using the name as reference in your API call.
Also, remove the following from your JSON schema.
"single_sign_on": true,
"cos_override": true,
@MustafaA I do have the address object, i get this object when i fetch all the objects through GET
{
"ipv4": {
"name": "test-rojin",
"uuid": "00000000-0000-001d-0100-00401038b8c6",
"zone": "WAN",
"host": {
"ip": "1.1.1.1"
}
}
},
1
@MustafaA I removed what you said from the schema and it still does not work.
Let me test it again, and share the results.
@MustafaA sure, please let me know.
@gyalpo , I've tested the following JSON schema and it works, returning success. I am sharing the screen capture and the JSON content. As a side note, I tested this on a Gen7 physical appliance, and it should not make any difference on an NSv.
JSON Content:
{
"access_rules": [
{
"ipv4": {
"from": "WAN",
"to": "LAN",
"action": "deny",
"source": {
"address": {
"name": "test-rojin"
},
"port": {
"any": true
}
},
"service": {
"any": true
},
"destination": {
"address": {
"any": true
}
},
"schedule": {
"always_on": true
},
"users": {
"included": {
"all": true
},
"excluded": {
"none": true
}
},
"name": "test-rule-rojin",
"comment": "just-testing",
"enable": true,
"reflexive": true,
"max_connections": 100,
"logging": true,
"management": true,
"packet_monitoring": true,
"priority": {
"auto": true
},
"tcp": {
"timeout": 30
},
"udp": {
"timeout": 30
},
"fragments": true,
"botnet_filter": true,
"connection_limit": {
"destination": {
"threshold": {
"value": 100
}
},
"source": {
"threshold": {
"value": 100
}
}
},
"flow_reporting": true,
"geo_ip_filter": {
"enable": true
},
"quality_of_service": {
"class_of_service": {
"explicit": "excellent-effort"
},
"dscp": {
"explicit": {
"value": 46
}
}
}
}
}
]
}
JSON Content (PDF)
I would like to confirm that same API end point with the attached JSON content works on an NSv firewall, as expected.
@MustafaA Thank you very much for your research and effort but I am still facing the same issue, even with your json body. At this point I am gonna have to conclude that this has got to do something with the way the firewall is configured. It's not my firewall and I will consult with the admin properly to find out whats wrong. Again thanks for your insight.
@gyalpo , can you please consult with your firewall admin if the NSv is deployed in Classic Mode or Unified Policy Mode? The Access Rules are different for those two modes. The tests I performed is on an NSv in Classic Mode.
@MustafaA Sorry for the late reply, I was on sick leave. Yes it turns out that it is deployed in Unified Policy Mode. How are things different for the Unified Policy Mode?
When the firewall is used in Unified Policy Mode, there is no Access Rule anymore, there is Security Policy.