Hello,
We currently run AOS8 (MCRs & clusters) but are imminently moving to AOS10.
It seems as though the firewall settings in AOS10 need to be created using the API, so I am playing with this (using a Python script).
My first question is should I just modify the existing default profile, or should I create a new profile?
I had assumed the latter and so that was what I attempted, but when I try to do so I get a validation error:
{"message":"validation failed: When condition '../protocol = 'ARP' or ../protocol ='GRAT_ARP'' not satisfied.","debugId":"fa3ff45a21f45c58c0fc248668ee267d","errorCode":"HPE_GL_ERROR_BAD_REQUEST","httpStatusCode":400}
I'm not sure what that means, can anyone help? The config I am trying to apply is below:
payload = {
"description": "firewall-test-api",
"name": "firewall-test",
"ipv4": {
"allow-tri-session": False,
"amsdu": False,
"bwcontracts-subnet-broadcast": False,
"deny-needfrag-df-gre": False,
"deny-needfrag-df-gre-xmit-icmp": False,
"deny-needfrag-df-ipsec": False,
"deny-needfrag-gre": False,
"deny-needfrag-gre-xmit-icmp": False,
"deny-source-routing": False,
"dhcp-perf-monitoring": False,
"disable-ftp-server": False,
"drop-ip-fragments": False,
"enable-bridging": False,
"enable-gre-inner-pkt-frag": False,
"enable-per-packet-logging": False,
"enable-port-packet-drop-logging": False,
"enable-stateful-icmp": False,
"enforce-tcp-handshake": False,
"enforce-tcp-sequence": False,
"gre-call-id-processing": False,
"immediate-feedback": False,
"ip-classification": False,
"ipsec-mark-mgmt-frames": False,
"local-valid-users": False,
"log-icmp-error": False,
"optimize-dad-frames": True,
"outstanding-buffers-hwm-percent": 80,
"outstanding-buffers-monitor-freq": 32,
"prevent-dhcp-exhaustion": False,
"prohibit-arp-spoofing": False,
"prohibit-ip-spoof-all": False,
"prohibit-ip-spoofing": True,
"prohibit-rc-update": False,
"prohibit-rst-replay": False,
"public-access": False,
"restrict-corp-access": False,
"role-to-role-policy-enforce": False,
"session-idle-timeout": 16,
"session-spread": False,
"session-tunnel-fib": False,
"shape-mcast": False,
"stall-crash": True,
"track-spoof": False,
"tunnel-trusted": False,
"voip-wmm-content-enforcement": False,
"wireless-bridge-aging": True,
"disable-sw-rps": False,
"ipv6-addr-gen-mode": "EUI_64",
"attack-rate": [
{
"action": "DENYLIST",
"protocol": "GRAT_ARP",
"rate": 50
},
{
"action": "DROP",
"protocol": "ARP",
"rate": 720
},
{
"action": "DROP",
"protocol": "PING",
"rate": 1800
},
{
"action": "DROP",
"protocol": "CP",
"rate": 3000
},
{
"action": "DROP",
"protocol": "TCP_SYN",
"rate": 8192
},
{
"action": "DROP",
"protocol": "SESSION",
"rate": 8192
}
],
"cp-bandwidth-contract": [
{
"protocol": "ARP_TRAFFIC",
"rate": 976
},
{
"protocol": "UNTRUSTED_UCAST",
"rate": 9765
},
{
"protocol": "UNTRUSTED_MCAST",
"rate": 1953
},
{
"protocol": "TRUSTED_UCAST",
"rate": 65535
},
{
"protocol": "TRUSTED_MCAST",
"rate": 1953
},
{
"protocol": "ROUTE",
"rate": 976
},
{
"protocol": "SESSMIRR",
"rate": 976
},
{
"protocol": "AUTH",
"rate": 976
},
{
"protocol": "VRRP",
"rate": 512
},
{
"protocol": "L2_OTHER",
"rate": 976
},
{
"protocol": "IKE",
"rate": 1953
}
]
}
}
Any advice much appreciated.
Guy