Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Auth API and Non-Config Mode in Gen7/NSv 270

hbonathhbonath Newbie ✭
in Developer Hub

Hello, I am working on some Python code to help with several migrations from NSa Appliances to NSv 270.

I have noticed that when connecting to the NSv, I will often get placed in "Non Config Mode" regardless of method of login (Digest vs. Basic) and the only way to resolve it, is to log in to the MGMT UI first, then connect from the same machine to the API using the script.

Non-Config example output:

{
  "status": {
    "success": true,
    "info": [
      {
        "level": "info",
        "code": "E_OK",
        "auth_code": "API_AUTH_CAN_PREEMPT",
        "config_mode": "No",
        "read_only": "No",
        "privilege": "FULL_ADMIN",
        "curr_config_type": "NONE",
        "curr_config_ip": "0.0.0.0",
        "model": "NSv 270",
        "is_fw_managed_by_gms_actively": false,
        "auto_ffw_upgrading": false,
        "auto_upgrade_vers": "",
        "inactivity_timer": 15,
        "message": "User login in non-configuration mode."
      }
    ]
  }
}

Config mode example output:

{
  "status": {
    "success": true,
    "info": [
      {
        "level": "info",
        "code": "E_OK",
        "auth_code": "API_AUTH_SUCCESS",
        "config_mode": "Yes",
        "read_only": "No",
        "privilege": "FULL_ADMIN",
        "model": "NSv 270",
        "is_fw_managed_by_gms_actively": false,
        "auto_ffw_upgrading": false,
        "auto_upgrade_vers": "",
        "inactivity_timer": 15,
        "message": "Success."
      }
    ]
  }
}

Is there a way to automatically preempt and switch to config mode once I get connected?

For the record I am using Python3 with my own API client to connect: https://github.com/hbonath/sonicapi

I do not have this issue with Gen6 devices.

Category: Developer Hub
Reply

Best Answer

  • CORRECT ANSWER
    JaimeJaime SonicWall Employee
    Answer ✓

    Hi @hbonath,

    There are a couple of options.

    1. You can send {"override": True} in your POST to /auth. This will log you in with config mode.
    2. You can extract the message to identify if you were logged in with config mode or non-config mode and send a POST to /config-mode to switch to config mode.

    HTH.

    Jaime

Answers

  • hbonathhbonath Newbie ✭

    Thank you @Jaime for the quick and extremely helpful response!

    Right as you posted this I found the reference to `/config-mode` in the API Spec file: https://sonicos-api.sonicwall.com/sonicos_files/default/sonicos_openapi.yml and I have added that method to my API client.

    I probably should update my auth method to allow the override to be set as well, seeing as how this appears to be brand new and didn't appear to be an issue in Gen6.

  • JaimeJaime SonicWall Employee

    Just FYI, the override is also available on Gen6 and doesn't hurt to include it. I usually make it a point to add the override in my scripts.

  • yuri_carusoyuri_caruso Newbie ✭

    Hi @Jaime , thank you very much, I wasted a lot of time finding this setting, I didn't find it in the documentation.

  • NatNat Newbie
    https://www.sonicwall.com/support/knowledge-base/how-to-migrate-fqdn-address-objects-from-a-gen-6-to-gen-7-device-using-sonicos-api/200812073105770/


    image.png

    Its not included in the API doc but the above KB mentioned, you may also take a look.

  • JaimeJaime SonicWall Employee

    The 6.5.4 API Reference Guide includes references to override, but admittedly it wouldn't be something one could find by searching the document for a keyword such as preempt. With that said, it is sort of hidden in plain sight :). It should be more prominently highlighted in the documents. Thank you for the feedback.

    https://www.sonicwall.com/techdocs/pdf/sonicos-6-5-4-api-reference-guide.pdf

  • Martin66Martin66 Newbie ✭

    Are you all using the original "admin" user for API access? As long as I use this user, everything works for me. If I use an self created local user "apiadmin" who is member of the group "full admin" and does have access to the Interface (If I manually log in, it works). In Postman I get after the login (override=true is set):

    https://IP:PORT/api/sonicos/auth?override=true



    "status": {

        "success": true,

        "info": [
            { "level": "info", "code": "E_OK", "auth_code": "API_AUTH_CAN_PREEMPT", "preempt_needed": "No", "config_mode": "No", "read_only": "No", "privilege": "FULL_ADMIN", "curr_config_type": "NONE", "curr_config_ip": "0.0.0.0", "model": "NSv 270", "is_fw_managed_by_gms_actively": false, "auto_ffw_upgrading": false, "auto_upgrade_vers": "", "inactivity_timer": 999, "user_protocol": "HTTPS", "mgmt_protocol": "HTTPS", "message": "Success." }
        ]
    With the full admin, I can download the TSR for example in the next step without problems. If I use the apiuser, it does not work. Even if I add another step to get in config mode, I get for that message

    https://IP:PORT/api/sonicos/config-mode?override=true (or without override…)

      "status": {        "success": false,        "info": [            {                "level": "error",                "code": "E_UNAUTHORIZED",                "message": "Unauthorized."

  • JaimeJaime SonicWall Employee
    Try sending a POST to /start-management

    Alternatively, you can edit the SonicWall Administrators group and enable the “go straight to management” option.
Sign In or Register to comment.