API Call /api/ni/path/firewall-rules does not list matching firewall rules with predefined services
search cancel

API Call /api/ni/path/firewall-rules does not list matching firewall rules with predefined services

book

Article ID: 402570

calendar_today

Updated On:

Products

VCF Operations for Networks

Issue/Introduction

When running the API /api/ni/path/firewall-rules for a specific flow, the matching firewall rules will not include the firewall rules with Pre-defined service. Only Firewall rules with Raw Ports will show in the API response.

 

Environment

Aria Operations For Networking

Cause

The behavior is by design and due to appending raw protocol definitions directly to the Firewall Rule. As a result, the rule derives its protocol and port information solely from these raw definitions.

Consequently, if a request specifies a port or protocol that doesn't exactly match the raw definitions - even if the nested service contains matching values - the rule will not be returned in the query response.

Resolution

Workaround #1:

  • POST : https://<vrni_ip>/api/ni/search/ql
    POST Body:
{
  "query": "rules where source ip = '<source_ip>' and dest ip = '<destination_ip>' and service =<service_name>",
  "size": <size>
}

Workaround #2:

  1. Invoke the api/ni/path/firewall-rules API without specifying the port and protocol.
  2. Fetch the associated services for each returned firewall rule to identify the correct match.

 

Powered by Wolken Software