[Tufin]How to send access request using REST API

The structure of the XML is not properly explained in SWAGGER, swagger is a build in helper to browse the API calls within Tufin SecureChange itself. The example presented under Post Ticket is not very practical, the entire form is static, on this post i am sharing the structure required for you to post a request.

You can use postman to try it before writing logical scripts to do post method dynamically based on user’s input.

Ticket
The first line is <ticket>

Subject
The second line is <subject>
This is mandatory field, when you use the Tufin SecureChange to open a new request the top of the access request is a Subject field and you cannot remove it from the first step of the workflow.

Priority
The third is <priority>, just put Normal.

Workflow
This tells Tufin which workflow you want to use, the name must be the exact name as the workflow you created.
Example if my workflow name is Firewall_Automation. Then the entire workflow block looks like this:
<workflow>
<name>Firewall_Automation</name>
<uses_topology>true</uses_topology>
</workflow>

Steps
This indicate which step you are raising, if your first step in Tufin SecureChange workflow is create request, and the name of this step is Open request then this is where you specify, example:
<steps>
<step>
<name>Open request</name>
<tasks>
<task>
You will close the steps, step, tasks and task tags after the entire xml body is finished.

Field
Fields are items you put on your first step, you may have an access request field, a text box field, a text area field, you must indicate in your request the values of the field if the field is marked mandatory by you.

an example if you want to indicate in your xml body that you want to put a string in your textbox field, then it will look like this in your xml body.
<field xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xsi:type=”text_field”>
<name>Name of the text field</name>
<text>The actual words you want to put in the text</text>
</field>

If you have an access request field, and you require to do multiple access requests do this, in the below example my access request field name is Firewall Rule:
<field xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xsi:type=”multi_access_request”>
<name>Firewall Rule
<access_request>
If you have multiple access requests in your step you need to <access_request></access_request> multiple times.

So here is how an access request looks like, it needs to have source, destination, service and action.
For brevity this example has a source of 1.1.1.1/32 and destination is 2.2.2.2/32, service is TCP 4000, action allow.

A side track, Tufin SecureChange can only do Allow, it cannot do deny even the access request has this option, it cannot in most cases do drop. This drop action is only available for Cisco routers ACL.

See example of the above:
<fields>
<field xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xsi:type=”multi_access_request”>
<name>Firewall Rule</name>
<access_request>
<users>
<user>Any</user>
</users>
<sources>
<source type=”IP”>
<ip_address>1.1.1.1</ip_address>
<netmask>255.255.255.255</netmask>
</source>
</sources>
<destinations>
<destination type=”IP”>
<ip_address>2.2.2.2</ip_address>
<netmask>255.255.255.255</netmask>
</destination>
</destinations>
<services>
<service type=”PROTOCOL”>
<protocol>TCP</protocol>
<port>4000</port>
</service>
</services>
<action>Accept</action>
<labels/>
</access_request>
</field>
</fields>
</task>
</tasks>
</step>
</steps>
<comments/>
</ticket>

You can replace the <netmask>255.255.255.255</netmask> with <cidr>32</cidr>

Also take note on capitals see this one:
<protocol>TCP</protocol> must be TCP, not tcp, if you do not capitalized all protocol you will get a Status 400 bad request response from Tufin SecureChange

Understanding the request structure can help you to think of a method to do scripting based on dynamic inputs from users.

Consider this algorithm in powershell, the strategy is to iterate the unknown number of source address:

function GatherSrcHosts($new_host){
$src_addr = @" 
<source type="IP">
    <ip_address>$new_server</ip_address>
    <netmask>255.255.255.255</netmask>
</source>
"@
return $src_addr + "`r"
}

while($true)
{
    if($ws.Range("A" + $a).Text -ne "") # collect until an empty cell.
    {
        $srcHosts += $ws.Range("A" + $a).Text
    }
    else
    {
        break
    }
    $a += 1
}
foreach($srcHost in $srcHosts) 
{
    $src += [System.Net.DNS]::GetHostEntry($srcHost).AddressList.IPAddressToString
}

foreach($src_ip in $src) {
    $src_collections += GatherSrcHosts($src_ip)
}

You can do like this for service, and destination, in real life we never know what addresses and ports that user will request, I hope Tufin will provide more programming examples to help their customers to make it through with using their REST APIs. The example in swagger is simply not practical user like me has no idea how to start off.

i hope this post benefits people who use Tufin SecureChange as their firewall rule automation engine.

Advertisements
This entry was posted in General stuffs and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s