Forum Discussion
Marvin_129795
Nimbostratus
NimbostratusExport AFM firewall rules using Icontrol
Hi All,
I am trying to export the complete firewall rule list using RestAPI in version 12.1.3 but I get the following response:
command used: $select=rulesReference&expandSubcollections=true
v...
I think this may be an environmental issue. I tested the REST command (changing the destination host and BIG-IP version) using a similar policy name on versions 14.0.0, 13.1.0.8, and 12.1.3. The error was not reproduced.
Here are my tests & results:
12.1.3
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules '{"kind":"tm:security:firewall:policy:policycollectionstate","selfLink":"https://192.168.1.98/mgmt/tm/security/firewall/policy?$select=rulesReference&ver=12.1.3","items":[{"rulesReference" {"link":"https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules?ver=12.1.3","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~DDCBU-management/rules?ver=12.1.3","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~self-protect/rules?ver=12.1.3","isSubcollection":true}}]}'
Result
{"kind":"tm:security:firewall:policy:rules:rulescollectionstate","selfLink":";:[{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"self-protect","fullPath":"self-protect","generation":85,"selfLink":";:{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"no-icmp-ipv6","fullPath":"no-icmp-ipv6","generation":86,"selfLink":";:{},"source":{"identity":{}},"icmp":[{"name":"255"}]}]}
13.1.0.8
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules '{"kind":"tm:security:firewall:policy:policycollectionstate","selfLink":"https://192.168.1.74/mgmt/tm/security/firewall/policy?$select=rulesReference&ver=13.1.0.8","items":[{"rulesReference" {"link":"https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules?ver=13.1.0.8","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~DDCBU-management/rules?ver=13.1.0.8","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~self-protect/rules?ver=13.1.0.8","isSubcollection":true}}]}'
Result
{"kind":"tm:security:firewall:policy:rules:rulescollectionstate","selfLink":";:[{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"no-udp","fullPath":"no-udp","generation":207,"selfLink":" UDP","ipProtocol":"udp","iruleSampleRate":1,"log":"no","status":"enabled","destination":{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"no-ipv6-icmp","fullPath":"no-ipv6-icmp","generation":81,"selfLink":";:{},"source":{"identity":{}}}]}
14.0.0
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules '{"kind":"tm:security:firewall:policy:policycollectionstate","selfLink":"https://192.168.1.69/mgmt/tm/security/firewall/policy?$select=rulesReference&ver=14.0.0","items":[{"rulesReference" {"link":"https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules?ver=14.0.0","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~DDCBU-management/rules?ver=14.0.0","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~self-protect/rules?ver=14.0.0","isSubcollection":true}}]}'
Result
{"kind":"tm:security:firewall:policy:rules:rulescollectionstate","selfLink":";:[{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"block-ping-ipv4","fullPath":"block-ping-ipv4","generation":277,"selfLink":";:{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"do-nothing-rule","fullPath":"do-nothing-rule","generation":276,"selfLink":";:{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"self-protect","fullPath":"self-protect","generation":275,"selfLink":";:{},"source":{"identity":{}},"icmp":[{"name":"1:3"},{"name":"255"}]}]}
I think this may be an environmental issue. I tested the REST command (changing the destination host and BIG-IP version) using a similar policy name on versions 14.0.0, 13.1.0.8, and 12.1.3. The error was not reproduced.
Here are my tests & results:
12.1.3
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules '{"kind":"tm:security:firewall:policy:policycollectionstate","selfLink":"https://192.168.1.98/mgmt/tm/security/firewall/policy?$select=rulesReference&ver=12.1.3","items":[{"rulesReference" {"link":"https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules?ver=12.1.3","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~DDCBU-management/rules?ver=12.1.3","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~self-protect/rules?ver=12.1.3","isSubcollection":true}}]}'
Result
{"kind":"tm:security:firewall:policy:rules:rulescollectionstate","selfLink":";:[{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"self-protect","fullPath":"self-protect","generation":85,"selfLink":";:{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"no-icmp-ipv6","fullPath":"no-icmp-ipv6","generation":86,"selfLink":";:{},"source":{"identity":{}},"icmp":[{"name":"255"}]}]}
13.1.0.8
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules '{"kind":"tm:security:firewall:policy:policycollectionstate","selfLink":"https://192.168.1.74/mgmt/tm/security/firewall/policy?$select=rulesReference&ver=13.1.0.8","items":[{"rulesReference" {"link":"https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules?ver=13.1.0.8","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~DDCBU-management/rules?ver=13.1.0.8","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~self-protect/rules?ver=13.1.0.8","isSubcollection":true}}]}'
Result
{"kind":"tm:security:firewall:policy:rules:rulescollectionstate","selfLink":";:[{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"no-udp","fullPath":"no-udp","generation":207,"selfLink":" UDP","ipProtocol":"udp","iruleSampleRate":1,"log":"no","status":"enabled","destination":{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"no-ipv6-icmp","fullPath":"no-ipv6-icmp","generation":81,"selfLink":";:{},"source":{"identity":{}}}]}
14.0.0
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules '{"kind":"tm:security:firewall:policy:policycollectionstate","selfLink":"https://192.168.1.69/mgmt/tm/security/firewall/policy?$select=rulesReference&ver=14.0.0","items":[{"rulesReference" {"link":"https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules?ver=14.0.0","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~DDCBU-management/rules?ver=14.0.0","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~self-protect/rules?ver=14.0.0","isSubcollection":true}}]}'
Result
{"kind":"tm:security:firewall:policy:rules:rulescollectionstate","selfLink":";:[{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"block-ping-ipv4","fullPath":"block-ping-ipv4","generation":277,"selfLink":";:{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"do-nothing-rule","fullPath":"do-nothing-rule","generation":276,"selfLink":";:{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"self-protect","fullPath":"self-protect","generation":275,"selfLink":";:{},"source":{"identity":{}},"icmp":[{"name":"1:3"},{"name":"255"}]}]}
MarvinCirrocumulus
Hi Thanks for that,
this command will result in an error: curl -sk -u admin:admin -H "Content-Type: application/json" -X GET
{"code":400,"message":"Version 12.1.3,isSubcollection:true is not supported.","referer":"10.101.10.2","restOperationId":45257275,"kind":":resterrorresponse"}
But if i use the following without the isSubCollection I receive the whole ruleset
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET ;
Is it possible to retrieve the content of the objects source and destination groups as well as port number groups?
Lastly I would like to create a nice overview listing, I will also search for it maybe I can write each line to a file using curl.
Thanks
- Marvin
I am trying > firewall.txt && more firewall.txt the file is created but no content in it
- Marvin
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET > testing.txt
The output is only partially being saved in the file not the whole response
- Marvin
got it to work now and used notepad++ to add new lines for every rule after the name and replaced it with \n
Is it possible to retrieve the object details for every source and destination group? Or do I need the expandSubcollection for that?
thanks a lot
sending the output through "tee" might work.
rest command | tee -a outputfile.txt
instead of
rest command > outputfile.txt
This seems to recursively pull the Network Firewall policy and rules across partitions.
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https:///mgmt/tm/security/firewall/policy?"expandSubcollections=true"