Knowledge BaseSecurity: Sophos Firewall [XG/XGS, Cyberoam]Let´s encrypt Zertifikat upload/u …

Bitte , um Beiträge und Themen zu erstellen.

Let´s encrypt Zertifikat upload/update and WAF change

#1 · 27. Dezember 2021, 11:34

Zitat von mpca am 27. Dezember 2021, 11:34 Uhr
command to upload certificate to XG and change certificate in WAF rule

curl -k -F "reqxml=<uploadcert.xml" -F file=@cert.cer "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

or curl -k -F "reqxml=<updatecert.xml" -F file=@cert.cer "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

curl -k -F "reqxml=<changewaf_new.xml" "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

curl -k -F "reqxml=<delcert.xml" "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

uploadcert.xml

<Request>
<Login><Username>API-Useraccountname</Username>
<Password passwordform="encrypt">encrypedAPIKey</Password>
</Login>

<Set operation="add">
<Certificate>
<Action>UploadCertificate</Action>
<Name>LE_cert_new</Name>
<CertificateFormat>cer</CertificateFormat>
<CertificateFile>cert.cer</CertificateFile>
</Certificate>
</Set>
</Request>

###

updatecert.xml

<Request>
<Login><Username>API-Useraccountname</Username>
<Password passwordform="encrypt">encrypedAPIKey</Password>
</Login>

<Set operation="update">
<Certificate>
<Action>UploadCertificate</Action>
<Name>LE_cert_new</Name>
<CertificateFormat>cer</CertificateFormat>
<CertificateFile>cert.cer</CertificateFile>
</Certificate>
</Set>
</Request>

###

delcert.xml

<Request>
<Login><Username>API-Username</Username>
<Password passwordform="encrypt">encryptedAPIKey</Password>
</Login>
<Remove>
<Certificate>
<Name>LE_cert_new</Name>>
</Certificate>
</Remove>
</Request>

###

changeWAF_new.xml

<Request>
<Login><Username>API-Useraccountname</Username>
<Password passwordform="encrypt">encrypedAPIKey</Password>
</Login>
<Set operation="update">
<FirewallRule transactionid="">
<Name>WAF_Rulename</Name>
<Description/>
<IPFamily>IPv4</IPFamily>
<Status>Enable</Status>
<Position>Top</Position>
<PolicyType>HTTPBased</PolicyType>
<HTTPBasedPolicy>
<HostedAddress>#Port2</HostedAddress>
<HTTPS>Enable</HTTPS>
<ListenPort>443</ListenPort>
<Domains>
<Domain>Domainname</Domain>
</Domains>
<AccessPaths>
<AccessPath>
<allowed_networks>Any IPv4</allowed_networks>
<auth_profile>Form with passthrough</auth_profile>
<backend>DMZ-Hostname</backend>
<be_path/>
<hot_standby>0</hot_standby>
<path>/pathonwebserver</path>
<stickysession_status>0</stickysession_status>
<websocket_passthrough>0</websocket_passthrough>
</AccessPath>
</AccessPaths>
<Exceptions>
</Exceptions>
<ProtocolSecurity>DMZ-Hostname</ProtocolSecurity>
<CompressionSupport>Disable</CompressionSupport>
<RewriteHTML>0</RewriteHTML>
<PassHostHeader>Enable</PassHostHeader>
<RewriteCookies>Enable</RewriteCookies>
<IntrusionPrevention>WAN TO LAN</IntrusionPrevention>
<TrafficShapingPolicy>None</TrafficShapingPolicy>
<Certificate>LE_certificatename_new</Certificate>
<RedirectHTTP>Disable</RedirectHTTP>
</HTTPBasedPolicy>
</FirewallRule>
<FirewallRuleGroup transactionid="">
<Name>RuleGroupname</Name>
<Description/>
<SecurityPolicyList>
<SecurityPolicy>FirstRulename</SecurityPolicy>
<SecurityPolicy>WAF_Rulename</SecurityPolicy>
</SecurityPolicyList>
<Policytype>Any</Policytype>
</FirewallRuleGroup>
</Set>
</Request>

######

Sophos XG API How-To:

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/API/APIUsingAPI/index.html

How to use the API

You can use the API to make configuration changes manually to XML strings.

Introduction

To make configuration changes using the API, do as follows:

Create an administrator profile with read-write permission for the modules you want to update.

Attach the administrator profile to an administrator record.

Allow the following activities:

API configuration.

API access from the IP address of the administrator's endpoint device.

Access to the administrative services of Sophos Firewall from the administrator's zone.

Submit the XML string. In this example, we enter the string in the address bar of a browser.

Create an administrator profile for making configuration changes

You create an administrator profile with read-write permission for objects and network.

Go to Profiles > Device access and create an administrator profile with specific rights.

Click Save.The following image shows an example of how to configure the settings:

Create an administrator

You create a user and add the administrator profile.

When you add a user with the API administrator profile, you can limit the administrator's rights based on the profile. Alternatively, you can use an existing administrator account.

Go to Authentication > Users and click Add.

Set User type to Administrator.

Select the API administrator profile you created.

To allow access for a specific time, select the Access time.

To allow access only from specific IP addresses, select an option for Login restriction for device access.

Click Save.The following image shows an example of how to configure the settings:

Allow API access

You allow API access for the administrator you created.

You turn on API configuration and allow API access from the administrator's IP address. You also allow access to the administrative services of Sophos Firewall.

Specify the API configuration settings:

Go to Backup and firmware > API.

Select API configuration.

For Allowed IP address, enter the IP address from which you'll make the API request and click the add button.

Click Apply.

The following image shows an example of how to configure the settings:

To allow access to administrative services from the zone containing the administrator's IP address, do as follows:

Go to Administration > Device access. Under Admin services, select the administrator's zone for HTTPS and SSH.If you want to allow access from the WAN zone, we recommend that you create an exception rule limiting the access for specific services.

Scroll down to Local service ACL exception rule. Click Add, and create an exception for the zone.

In this example, we specify the following settings:

Setting Description

Source zone LAN

Source network/host API administrator

Destination host Port2

Services HTTPS

SSH

Action Accept

Click Save. The following image shows an example of how to configure the settings:

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/API/index.html#get-the-encrypted-password-for-api-requests

Get the encrypted password for API requests

You can make API requests using a plaintext password or an encrypted password.

To get your encrypted password, enter the following command in the Advanced shell:
aes-128-cbc-tool -k Th1s1Ss1mPlygR8API -t 1 -s <password>

Setting	Description
Source zone	`LAN`
Source network/host	`API administrator`
Destination host	`Port2`
Services	`HTTPS` `SSH`
Action	`Accept`

command to upload certificate to XG and change certificate in WAF rule

curl -k -F "reqxml=<uploadcert.xml" -F file=@cert.cer "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

or curl -k -F "reqxml=<updatecert.xml" -F file=@cert.cer "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

curl -k -F "reqxml=<changewaf_new.xml" "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

curl -k -F "reqxml=<delcert.xml" "https://XG-FIREWALL-IP:4444/webconsole/APIController?"

uploadcert.xml

<Request>
<Login><Username>API-Useraccountname</Username>
<Password passwordform="encrypt">encrypedAPIKey</Password>
</Login>

<Set operation="add">
<Certificate>
<Action>UploadCertificate</Action>
<Name>LE_cert_new</Name>
<CertificateFormat>cer</CertificateFormat>
<CertificateFile>cert.cer</CertificateFile>
</Certificate>
</Set>
</Request>

###

updatecert.xml

<Request>
<Login><Username>API-Useraccountname</Username>
<Password passwordform="encrypt">encrypedAPIKey</Password>
</Login>

<Set operation="update">
<Certificate>
<Action>UploadCertificate</Action>
<Name>LE_cert_new</Name>
<CertificateFormat>cer</CertificateFormat>
<CertificateFile>cert.cer</CertificateFile>
</Certificate>
</Set>
</Request>

###

delcert.xml

<Request>
<Login><Username>API-Username</Username>
<Password passwordform="encrypt">encryptedAPIKey</Password>
</Login>
<Remove>
<Certificate>
<Name>LE_cert_new</Name>>
</Certificate>
</Remove>
</Request>

###

changeWAF_new.xml

<Request>
<Login><Username>API-Useraccountname</Username>
<Password passwordform="encrypt">encrypedAPIKey</Password>
</Login>
<Set operation="update">
<FirewallRule transactionid="">
<Name>WAF_Rulename</Name>
<Description/>
<IPFamily>IPv4</IPFamily>
<Status>Enable</Status>
<Position>Top</Position>
<PolicyType>HTTPBased</PolicyType>
<HTTPBasedPolicy>
<HostedAddress>#Port2</HostedAddress>
<HTTPS>Enable</HTTPS>
<ListenPort>443</ListenPort>
<Domains>
<Domain>Domainname</Domain>
</Domains>
<AccessPaths>
<AccessPath>
<allowed_networks>Any IPv4</allowed_networks>
<auth_profile>Form with passthrough</auth_profile>
<backend>DMZ-Hostname</backend>
<be_path/>
<hot_standby>0</hot_standby>
<path>/pathonwebserver</path>
<stickysession_status>0</stickysession_status>
<websocket_passthrough>0</websocket_passthrough>
</AccessPath>
</AccessPaths>
<Exceptions>
</Exceptions>
<ProtocolSecurity>DMZ-Hostname</ProtocolSecurity>
<CompressionSupport>Disable</CompressionSupport>
<RewriteHTML>0</RewriteHTML>
<PassHostHeader>Enable</PassHostHeader>
<RewriteCookies>Enable</RewriteCookies>
<IntrusionPrevention>WAN TO LAN</IntrusionPrevention>
<TrafficShapingPolicy>None</TrafficShapingPolicy>
<Certificate>LE_certificatename_new</Certificate>
<RedirectHTTP>Disable</RedirectHTTP>
</HTTPBasedPolicy>
</FirewallRule>
<FirewallRuleGroup transactionid="">
<Name>RuleGroupname</Name>
<Description/>
<SecurityPolicyList>
<SecurityPolicy>FirstRulename</SecurityPolicy>
<SecurityPolicy>WAF_Rulename</SecurityPolicy>
</SecurityPolicyList>
<Policytype>Any</Policytype>
</FirewallRuleGroup>
</Set>
</Request>

######

Sophos XG API How-To:

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/API/APIUsingAPI/index.html

How to use the API

You can use the API to make configuration changes manually to XML strings.

Introduction

To make configuration changes using the API, do as follows:

Create an administrator profile with read-write permission for the modules you want to update.
Attach the administrator profile to an administrator record.
Allow the following activities:
- API configuration.
- API access from the IP address of the administrator's endpoint device.
- Access to the administrative services of Sophos Firewall from the administrator's zone.
Submit the XML string. In this example, we enter the string in the address bar of a browser.

Create an administrator profile for making configuration changes

You create an administrator profile with read-write permission for objects and network.

Go to Profiles > Device access and create an administrator profile with specific rights.
Click Save.The following image shows an example of how to configure the settings:

Create an administrator

You create a user and add the administrator profile.

When you add a user with the API administrator profile, you can limit the administrator's rights based on the profile. Alternatively, you can use an existing administrator account.

Go to Authentication > Users and click Add.
Set User type to Administrator.
Select the API administrator profile you created.
To allow access for a specific time, select the Access time.
To allow access only from specific IP addresses, select an option for Login restriction for device access.
Click Save.The following image shows an example of how to configure the settings:

Allow API access

You allow API access for the administrator you created.

You turn on API configuration and allow API access from the administrator's IP address. You also allow access to the administrative services of Sophos Firewall.

Specify the API configuration settings:
1. Go to Backup and firmware > API.
2. Select API configuration.
3. For Allowed IP address, enter the IP address from which you'll make the API request and click the add button.
4. Click Apply.
The following image shows an example of how to configure the settings:
To allow access to administrative services from the zone containing the administrator's IP address, do as follows:
1. Go to Administration > Device access. Under Admin services, select the administrator's zone for HTTPS and SSH.If you want to allow access from the WAN zone, we recommend that you create an exception rule limiting the access for specific services.
2. Scroll down to Local service ACL exception rule. Click Add, and create an exception for the zone.
3. In this example, we specify the following settings:
  
  Setting Description
  
  Source zone LAN
  
  Source network/host API administrator
  
  Destination host Port2
  
  Services HTTPS
  
  SSH
  
  Action Accept
4. Click Save. The following image shows an example of how to configure the settings:

Setting	Description
Source zone	`LAN`
Source network/host	`API administrator`
Destination host	`Port2`
Services	`HTTPS` `SSH`
Action	`Accept`

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/API/index.html#get-the-encrypted-password-for-api-requests

Get the encrypted password for API requests

You can make API requests using a plaintext password or an encrypted password.

To get your encrypted password, enter the following command in the Advanced shell:

aes-128-cbc-tool -k Th1s1Ss1mPlygR8API -t 1 -s <password>

Knowledge Base

Let´s encrypt Zertifikat upload/update and WAF change

How to use the API

Introduction

Create an administrator profile for making configuration changes

Create an administrator

Allow API access

Get the encrypted password for API requests

How to use the API

Introduction

Create an administrator profile for making configuration changes

Create an administrator

Allow API access

Get the encrypted password for API requests

ISP-Service

Quick Links

Informationen