I need to create a softlayer network firewall rule through REST API

Question

I need to create a softlayer network firewall rule through REST API. I have referred the Softlayer documents but still I\'m unabe to create a firewall rule.

Please A

Answer 1

Please try this REST request to add Firewall rules (SoftLayer_Network_Firewall_Update_Request::createObject):

URL:

https://[username]:[apikey]@api.softlayer.com/rest/v3/SoftLayer_Network_Firewall_Update_Request/createObject

Method: POST

{
  "parameters": [
    {
      "firewallContextAccessControlListId": 2854,
      "rules": [
        {
          "action": "permit",
          "destinationIpAddress": "any",
          "destinationIpCidr": 0,
          "destinationPortRangeEnd": 80,
          "destinationPortRangeStart": 80,
          "notes": "This is a test",
          "orderValue": 1,
          "protocol": "tcp",
          "sourceIpAddress": "0.0.0.0",
          "sourceIpCidr": 0,
          "version": 4
        },
        {
          "action": "permit",
          "destinationIpAddress": "50.97.51.242",
          "destinationIpCidr": 32,
          "destinationPortRangeEnd": 80,
          "destinationPortRangeStart": 80,
          "notes": "This is an API test 2",
          "orderValue": 2,
          "protocol": "tcp",
          "sourceIpAddress": "0.0.0.0",
          "sourceIpCidr": 0,
          "version": 4
        },
        {
          "action": "permit",
          "destinationIpAddress": "50.97.51.240",
          "destinationIpCidr": 32,
          "destinationPortRangeEnd": 80,
          "destinationPortRangeStart": 80,
          "notes": "This is an API test 3",
          "orderValue": 3,
          "protocol": "tcp",
          "sourceIpAddress": "0.0.0.0",
          "sourceIpCidr": 0,
          "version": 4
        },
        {
          "action": "permit",
          "destinationIpAddress": "any",
          "destinationIpCidr": 0,
          "destinationPortRangeEnd": 8080,
          "destinationPortRangeStart": 8080,
          "notes": "This is an API test 4",
          "orderValue": 4,
          "protocol": "tcp",
          "sourceIpAddress": "2001:db8:85a3:8d3:1319:8a2e:370:7339",
          "sourceIpCidr": 128,
          "version": 6
        }
      ]
    }
  ]
}

Where: The old rules have to configured in the above body request and add the new rule. In my case, I ‘m adding this new rule:

{
      "action": "permit",
      "destinationIpAddress": "50.97.51.240",
      "destinationIpCidr": 32,
      "destinationPortRangeEnd": 80,
      "destinationPortRangeStart": 80,
      "notes": "This is an API test 3",
      "orderValue": 3,
      "protocol": "tcp",
      "sourceIpAddress": "0.0.0.0",
      "sourceIpCidr": 0,
      "version": 4
    }

To know the meaning of properties in rules section, please see: SoftLayer_Network_Firewall_Update_Request_Rule

Update 1:

Also, to get firewallContextAccessControlListId, please see:

If you know the firewall_id, please execute:

https://[username]:[apikey]@api.softlayer.com/rest/v3/SoftLayer_Network_Vlan_Firewall/[firewall_id]/getNetworkVlans?objectMask=mask[id,firewallRules,firewallInterfaces[id,firewallContextAccessControlLists]]

Method: GET

The response in my case is:

{
"id": 204016
"firewallInterfaces": [2]
0:  {
"id": 5678
"firewallContextAccessControlLists": [0]
}-
1:  {
"id": 5679
"firewallContextAccessControlLists": [1]
0:  {
"direction": "in"
"firewallContextInterfaceId": 5679
"id": 2854
}
}
…

Reference: SoftLayer_Network_Vlan_Firewall::getNetworkVlans

Otherwise, if you don't know the firewall_id, you can list all Network_Vlan_Firewall adding some masks:

https://[username]:[apikey]@api.softlayer.com/rest/v3.1/SoftLayer_Search/advancedSearch?objectMask=mask[resource(SoftLayer_Network_Vlan_Firewall)[id,primaryIpAddress,networkVlans[id,firewallInterfaces[firewallContextAccessControlLists]]]]

Method: POST

Json Payload:

{
"parameters": [
"_objectType:SoftLayer_Network_Vlan_Firewall"
]
}

The response should be similar to the last request, but for all items.

Note: In this case we are using v3.1 instead of v3 in the request because advancedSearch service works only for v3.1.

Answer 2

take a look this codes let me know if you need more information

# Edit Vlan firewall rule.
#
# A firewall's ruleset is modified by passing a SoftLayer_Network_Firewall_Update_Request template
# object to SoftLayer_Network_Firewall_Update_Request::createObject. The entire ruleset is rewritten
# with each update request. This means it is necessary to include all past unchanged rules along with any
# modifications or additions. This is easily accomplished by pulling in the existing rules as described above
# then modifying the gathered array.
# Each SoftLayer_Network_Component_Firewall_Update_Request_Rule object requires:
#
# action - permit or deny
# destinationIpAddress - destination address
# destinationIpSubnetMask - subnet mask for destination
# sourceIpAddress - originating address
# sourceIpSubnetMask - subnet mask for origin address
# protocol - tcp/udp
# destinationPortRangeStart - first port the rule will effect
# destinationPortRangeEnd - last port the rule will effect
# orderValue - order in which rules are applied (lower is sooner)
#
# Important manual pages:
# http://sldn.softlayer.com/reference/services/SoftLayer_Network_Firewall_Update_Request
# http://sldn.softlayer.com/reference/services/SoftLayer_Network_Firewall_Update_Request/createObject
# @License: http://sldn.softlayer.com/article/License
# @Author: SoftLayer Technologies, Inc. <sldn@softlayer.com>

# So we can talk to the SoftLayer API:
import SoftLayer.API

# For nice debug output:
import pprint

# Your SoftLayer API username and key.
#
# Generate an API key at the SoftLayer Customer Portal

API_USERNAME = 'set me'
API_KEY = 'set me'

vlanId = 211163
# Create the client object
client = SoftLayer.Client(username=API_USERNAME, api_key=API_KEY)
objectMask = 'mask[firewallRules,firewallInterfaces[firewallContextAccessControlLists]]'
vlan = client['SoftLayer_Network_Vlan'].getObject(mask=objectMask, id=vlanId)
rules = vlan['firewallRules']

firewallContextAccessControlListId = ''
# Getting the ID of Access Control List.
# Each VLAN will have two types of firewallInterface: 'inside' and 'outside'.
# firewallContextAccessControlLists are organized by a direction of 'in' or 'out'.
# Currently the SoftLayer Platform supports the 'outside' firewallInterfaces
for firewall in vlan['firewallInterfaces']:
    if firewall['name'] == 'inside':
        continue
    for controlList in firewall['firewallContextAccessControlLists']:
        if controlList['direction'] == 'out':
            continue
        firewallContextAccessControlListId = controlList['id']
try:
    # Modifying a rule
    ipToAllow = '119.81.91.198 '
    index = 0
    for rule in rules:
        if rule['sourceIpAddress'] == ipToAllow:
            rule['action'] = 'permit'
            rules[index] = rule
        index += 1
    updateRequestTemplate = {
        'firewallContextAccessControlListId': firewallContextAccessControlListId,
        'rules': rules
    }
    updateRequestClient = client['SoftLayer_Network_Firewall_Update_Request'].createObject(updateRequestTemplate)
    pprint.pprint('Rule updated!')

except SoftLayer.SoftLayerAPIError as e:
    print("Error updating the rule  faultCode=%s, faultString=%s"
          % (e.faultCode, e.faultString))
    exit(1)

..

# Edit Standard Rule
# A rule set of a firewall is modified by passing a SoftLayer_Network_Firewall_Update_Request template object
# to SoftLayer_Network_Firewall_Update_Request::createObject. The entire rule set is rewritten with each
# update request. This means it is necessary to include all past unchanged rules along with any modifications
# or additions. This is easily accomplished by pulling in the existing rules as described above then modifying
# the gathered array.
# Each SoftLayer_Network_Component_Firewall_Update_Request_Rule object requires:
#
# action - permit or deny
# destinationIpAddress - destination address
# destinationIpSubnetMask - subnet mask for destination
# sourceIpAddress - originating address
# sourceIpSubnetMask - subnet mask for origin address
# protocol - tcp/udp
# destinationPortRangeStart - first port the rule will effect
# destinationPortRangeEnd - last port the rule will effect
# orderValue - order in which rules are applied (lower is sooner)
#
# Important manual pages:
# http://sldn.softlayer.com/reference/services/SoftLayer_Network_Firewall_Update_Request
# http://sldn.softlayer.com/reference/services/SoftLayer_Network_Firewall_Update_Request/createObject
# @License: http://sldn.softlayer.com/article/License
# @Author: SoftLayer Technologies, Inc. <sldn@softlayer.com>

# So we can talk to the SoftLayer API:
import SoftLayer

# Your SoftLayer API username and key.
#
# Generate an API key at the SoftLayer Customer Portal
API_USERNAME = 'set me'
API_KEY = 'set me'

# Create the client object
client = SoftLayer.Client(username=API_USERNAME, api_key=API_KEY)

serverId = 5439388
objectMask = "mask[firewallServiceComponent[rules]]"
server = client['Virtual_Guest'].getObject(mask=objectMask, id=serverId)

try:
    # Modifying a rule
    if 'firewallServiceComponent' in server:
        ipToAllow = '192.168.1.1'
        index = 0
        if 'rules' in server['firewallServiceComponent']:
            rules = server['firewallServiceComponent']['rules']
            for rule in rules:
                if rule['sourceIpAddress'] == ipToAllow:
                    rule['action'] = 'deny'
                    rules[index] = rule
                index += 1
            updateRequestTemplate = {
                'networkComponentFirewallId': server['firewallServiceComponent']['id'],
                'rules': rules
            }
            updateRequestClient = client['SoftLayer_Network_Firewall_Update_Request'].createObject(
                updateRequestTemplate)
        print("Rule updated!")
    else:
        print("The server does not have firewall component")

except SoftLayer.SoftLayerAPIError as e:
    print("Error updating the rule  faultCode=%s, faultString=%s"
          % (e.faultCode, e.faultString))
    exit(1)