Zitat von mpca am 27. Dezember 2021, 11:34 Uhr

command to upload certificate to XG and change certificate in WAF rule

curl -k -F "reqxml=<uploadcert.xml" -F file=@cert.cer "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

or curl -k -F "reqxml=<updatecert.xml" -F file=@cert.cer "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

download certificate curl --insecure -ko test.tar https://XG-FIREWALL-IP:4444/webconsole/APIController? -F "reqxml=<downlcert.xml"
(private key without password)

curl -k -F "reqxml=<changewaf_new.xml" "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

curl -k -F "reqxml=<delcert.xml" "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

uploadcert.xml

<Request>
<Login><Username>API-Useraccountname</Username>
<Password passwordform="encrypt">encrypedAPIKey</Password>
</Login>

<Set operation="add">
<Certificate>
<Action>UploadCertificate</Action>
<Name>LE_cert_new</Name>
<CertificateFormat>cer</CertificateFormat>
<CertificateFile>cert.cer</CertificateFile>
</Certificate>
</Set>
</Request>

###

downlcert.xml

<Request>
<Login><Username>API-Useraccountname</Username>
<Password passwordform="encrypt">encrypedAPIKey</Password>
</Login>

<Get><Certificate/></Get>
</Request>

###

updatecert.xml

<Request>
<Login><Username>API-Useraccountname</Username>
<Password passwordform="encrypt">encrypedAPIKey</Password>
</Login>

<Set operation="update">
<Certificate>
<Action>UploadCertificate</Action>
<Name>LE_cert_new</Name>
<CertificateFormat>cer</CertificateFormat>
<CertificateFile>cert.cer</CertificateFile>
</Certificate>
</Set>
</Request>

###

delcert.xml

<Request>
<Login><Username>API-Username</Username>
<Password passwordform="encrypt">encryptedAPIKey</Password>
</Login>
<Remove>
<Certificate>
<Name>LE_cert_new</Name>>
</Certificate>
</Remove>
</Request>

 

###

changeWAF_new.xml

<Request>
<Login><Username>API-Useraccountname</Username>
<Password passwordform="encrypt">encrypedAPIKey</Password>
</Login>
<Set operation="update">
<FirewallRule transactionid="">
<Name>WAF_Rulename</Name>
<Description/>
<IPFamily>IPv4</IPFamily>
<Status>Enable</Status>
<Position>Top</Position>
<PolicyType>HTTPBased</PolicyType>
<HTTPBasedPolicy>
<HostedAddress>#Port2</HostedAddress>
<HTTPS>Enable</HTTPS>
<ListenPort>443</ListenPort>
<Domains>
<Domain>Domainname</Domain>
</Domains>
<AccessPaths>
<AccessPath>
<allowed_networks>Any IPv4</allowed_networks>
<auth_profile>Form with passthrough</auth_profile>
<backend>DMZ-Hostname</backend>
<be_path/>
<hot_standby>0</hot_standby>
<path>/pathonwebserver</path>
<stickysession_status>0</stickysession_status>
<websocket_passthrough>0</websocket_passthrough>
</AccessPath>
</AccessPaths>
<Exceptions>
</Exceptions>
<ProtocolSecurity>DMZ-Hostname</ProtocolSecurity>
<CompressionSupport>Disable</CompressionSupport>
<RewriteHTML>0</RewriteHTML>
<PassHostHeader>Enable</PassHostHeader>
<RewriteCookies>Enable</RewriteCookies>
<IntrusionPrevention>WAN TO LAN</IntrusionPrevention>
<TrafficShapingPolicy>None</TrafficShapingPolicy>
<Certificate>LE_certificatename_new</Certificate>
<RedirectHTTP>Disable</RedirectHTTP>
</HTTPBasedPolicy>
</FirewallRule>
<FirewallRuleGroup transactionid="">
<Name>RuleGroupname</Name>
<Description/>
<SecurityPolicyList>
<SecurityPolicy>FirstRulename</SecurityPolicy>
<SecurityPolicy>WAF_Rulename</SecurityPolicy>
</SecurityPolicyList>
<Policytype>Any</Policytype>
</FirewallRuleGroup>
</Set>
</Request>

######

Sophos XG API How-To:

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/API/APIUsingAPI/index.html

How to use the API

You can use the API to make configuration changes manually to XML strings.

Introduction

To make configuration changes using the API, do as follows:

• Create an administrator profile with read-write permission for the modules you want to update.
• Attach the administrator profile to an administrator record.
• Allow the following activities:
  • API configuration.
  • API access from the IP address of the administrator's endpoint device.
  • Access to the administrative services of Sophos Firewall from the administrator's zone.
• Submit the XML string. In this example, we enter the string in the address bar of a browser.

Create an administrator profile for making configuration changes

You create an administrator profile with read-write permission for objects and network.

1. Go to Profiles > Device access and create an administrator profile with specific rights.
2. Click Save.The following image shows an example of how to configure the settings:

Create an administrator

You create a user and add the administrator profile.

When you add a user with the API administrator profile, you can limit the administrator's rights based on the profile. Alternatively, you can use an existing administrator account.

1. Go to Authentication > Users and click Add.
2. Set User type to Administrator.
3. Select the API administrator profile you created.
4. To allow access for a specific time, select the Access time.
5. To allow access only from specific IP addresses, select an option for Login restriction for device access.
6. Click Save.The following image shows an example of how to configure the settings:

Allow API access

You allow API access for the administrator you created.

You turn on API configuration and allow API access from the administrator's IP address. You also allow access to the administrative services of Sophos Firewall.

1. Specify the API configuration settings:
   1. Go to Backup and firmware > API.
   2. Select API configuration.
   3. For Allowed IP address, enter the IP address from which you'll make the API request and click the add button.
   4. Click Apply.

   The following image shows an example of how to configure the settings:

   

2. To allow access to administrative services from the zone containing the administrator's IP address, do as follows:
   1. Go to Administration > Device access. Under Admin services, select the administrator's zone for HTTPS and SSH.If you want to allow access from the WAN zone, we recommend that you create an exception rule limiting the access for specific services.
   2. Scroll down to Local service ACL exception rule. Click Add, and create an exception for the zone.
   3. In this example, we specify the following settings:

      Setting	Description
      Source zone	LAN
      Source network/host	API administrator
      Destination host	Port2
      Services	HTTPS SSH
      Action	Accept

   4. Click Save. The following image shows an example of how to configure the settings:

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/API/index.html#get-the-encrypted-password-for-api-requests

Get the encrypted password for API requests

You can make API requests using a plaintext password or an encrypted password.

To get your encrypted password, enter the following command in the Advanced shell:

aes-128-cbc-tool -k Th1s1Ss1mPlygR8API -t 1 -s <password>