Create a traffic change request
FireFlow validates the API to ensure that mandatory elements are in place, such as permissions, template, date formats, that any specified device exists in AFA, and so on.
Note: For IPv6 addresses, you must use IPv6 format for both source and destination. For example: 2001:cdba::3257:9652 - 2001:cdba::3257:9657. See IPv6 traffic change workflow.
Notes: For IPv6 templates, only Cisco ASA devices are supported.
Resource Name: /FireFlow/api/change-requests/traffic
Request Method: POST
Header requirements:
Key | Value |
---|---|
Cookie | FireFlow_Session=[sessionID]. The sessionId is retrieved from the authentication request. |
Request Body:
Element |
Type |
Description |
---|---|---|
trafficChangeRequestDetails
|
Object body containing details for creation of traffic change request. |
If you are using the StoreFirewallSuffixInHostGroup and StoreFirewallSuffixInServiceGroup configuration, the address format in source and destination fields must be as follows:
Firewall suffixes |
This definition is translated from the firewall as follows: <object_name>:fw:<firewall treeName> For example: host-1:fw:My_GW1 |
Group suffixes |
This definition is translated from the one of the group members, as follows: <object_name>:grp:<firewall treeName> For example: grp-1:grp:My_GW1 |
Source with firewall suffix example:
{
"source": {
"items": [{
"address": "host-1:fw:My_GW1"
}
]
}
If you are defining the device, you must enter the device database name, not the name displayed in the AFA device tree. Rule IDs must also be defined as the internal AFA IDs.
Retrieve both device database names and internal rule IDs using the following API:
https://<server_IP>/fa/server/rules/read?session=<FA_session_Id>&entity=<AFA_UI_display_name>
Any error messages that include the device name include the name displayed in AFA.
The attachment field accepts single or multiple values, and expects the following syntax: 'filename=<filename>:content=<encoded file content to base64 string>'
Additionally:
-
Filenames must be valid Linux filenames, including valid characters only, no more than 255 characters, and not an empty string.
-
Files must also have valid extensions, and not be of any file types listed in the RestrictedFileExtensionsInAttachment configuration.
-
File content should be encoded to base 64.
-
Before encoding, the file content should not exceed the maximum size configured in the MaxAttachmentSize configuration parameter.
For details, see FireFlow configuration parameter reference.
Status codes:
Code |
Description |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
200 |
ActiveChange was triggered |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
400 |
Input validation failure Error messages:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
403 |
Authentication failure Error messages:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
50x |
Internal Server Error Error messages:
|
Request example
{ "template": "Basic Change Traffic Request", "fields": [ { "key": "subject", "values": [ "Traffic_Ticket_Via_REST_API" ] }, { "key": "Change Request Description", "values": [ "add here the change request description" ] }, { "name": "devices", "values": [ "CKP1", "Cisco2" ] } ], "traffic": [{ "source": { "items": [{ "name": "1.1.1.0/24" }, { "name": "host_object" } ] }, "destination": { "items": [{ "name": "2.2.2.2-2.2.2.150", "fields": [{ "key": "CFPTI", "values": [ "destination1" ] }] }] }, "service": { "items": [{ "name": "https" }, { "name": "service_object" } ] }, "user": { "items": [{ "name": "user1" }] }, "application": { "items": [{ "name": "any" }] }, "action": "Allow", "natDetails": { "source": ["9.9.9.9"], "destination": ["8.8.8.8"], "port": ["tcp/8080"], "type": "Static" }, "fields": [{ "key": "Requested Source Group Name", "values": [ "sourceGroup100" ] }] }] }
IPv6 request example
{
"template":"170: Traffic Change Request (IPv6)",
"fields":[
{
"name":"subject",
"values":[
"IPv6_demo_3"
]
},
{
"name":"devices",
"values":[
"10_132_16_2"
]
}
],
"traffic":[
{
"source":{
"items":[
{
"address":"fe80:2222::3333"
}
]
},
"destination":{
"items":[
{
"address":"2001:cdba::3257:9652 - 2001:cdba::3257:9657"
}
]
},
"service":{
"items":[
{
"name":"tcp/80-90"
}
]
},
"action":"Allow"
}
]
}
Response: Response type