SonicOS/X API Reference Guide
- About SonicOS API
- API Authentication
- API: Config - Pending
- API: Restart
- API: Address Objects – IPv4
- Endpoint
- Schema Structure
- Object: Address Object
- Collection: Address Object
- Schema Attributes
- address_object:
- address_objects:
- address_object.ipv4:
- address_object.ipv4.name:
- address_object.ipv4.uuid:
- address_object.ipv4.host:
- address_object.ipv4.host.ip:
- address_object.ipv4.range:
- address_object.ipv4.range.begin:
- address_object.ipv4.range.end:
- address_object.ipv4.network:
- address_object.ipv4.network.subnet:
- address_object.ipv4.network.mask:
- address_object.ipv4.zone:
- API: Address Objects – IPv6
- Endpoint
- Schema Structure
- Object: Address Object
- Collection: Address Objects
- Schema Attributes
- address_object:
- address_objects:
- address_object.ipv6:
- address_object.ipv6.name:
- address_object.ipv6.uuid:
- address_object.ipv6.host:
- address_object.ipv6.host.ip:
- address_object.ipv6.range:
- address_object.ipv6.range.begin:
- address_object.ipv6.range.end:
- address_object.ipv6.network:
- address_object.ipv6.network.subnet:
- address_object.ipv6.network.mask:
- address_object.ipv6.zone:
- API: Address Objects – MAC
- API: Address Objects – FQDN
- API: Address Groups — IPv4
- Endpoint
- Schema Structure
- Object: Address Group
- Collection: Address Group
- Schema Attributes
- address_group:
- address_groups:
- address_group.ipv4:
- address_group.ipv4.name:
- address_group.ipv4.uuid:
- address_group.ipv4.address_group:
- address_group.ipv4.address_group.ipv4:
- address_group.ipv4.address_object.ipv4.name:
- address_group.ipv4.address_object.mac:
- address_group.ipv4.address_object.mac.name:
- address_group.ipv4.address_object.fqdn:
- address_group.ipv4.address_object.fqdn.name:
- API: Address Groups — IPv6
- Endpoint
- Schema Structure
- Object: Address Group
- Collection: Address Group
- Schema Attributes
- address_group:
- address_groups:
- address_group.ipv6:
- address_group.ipv6.name:
- address_group.ipv6.uuid:
- address_group.ipv6.address_group:
- address_group.ipv6.address_group.ipv4:
- address_group.ipv6.address_group.ipv4.name:
- address_group.ipv6.address_group.ipv6:
- address_group.ipv6.address_group.ipv6.name:
- address_group.ipv6.address_object.mac:
- address_group.ipv6.address_object.mac.name:
- address_group.ipv6.address_object.fqdn:
- address_group.ipv6.address_object.fqdn.name:
- API: Schedule Objects
- Endpoint
- Schema Structure
- Object: Schedule
- Collection: Schedule
- Schema Attributes
- schedule:
- schedules:
- schedule.name:
- schedule.uuid:
- schedule.occurs:
- schedule.occurs.once:
- schedule.occurs.once.event:
- schedule.occurs.once.event.start:
- schedule.occurs.once.event.end:
- schedule.occurs.recurring:
- schedule.occurs.recurring.recurring:
- schedule.occurs.recurring.recurring.start:
- schedule.occurs.recurring.recurring.end:
- schedule.occurs.recurring.recurring.sun:
- schedule.occurs.recurring.recurring.mon:
- schedule.occurs.recurring.recurring.tue:
- schedule.occurs.recurring.recurring.wed:
- schedule.occurs.recurring.recurring.thu:
- schedule.occurs.recurring.recurring.fri:
- schedule.occurs.recurring.recurring.sat:
- schedule.occurs.mixed:
- schedule.occurs.mixed.event:
- schedule.occurs.mixed.event.start:
- schedule.occurs.mixed.event.end:
- schedule.occurs.mixed.recurring:
- schedule.occurs.mixed.recurring.start:
- schedule.occurs.mixed.recurring.end:
- schedule.occurs.mixed.recurring.sun:
- schedule.occurs.mixed.recurring.mon:
- schedule.occurs.mixed.recurring.tue:
- schedule.occurs.mixed.recurring.wed:
- schedule.occurs.mixed.recurring.thu:
- schedule.occurs.mixed.recurring.fri:
- schedule.occurs.mixed.recurring.sat:
- API: Service Objects
- Endpoint
- Schema Structure
- Object: Service Object
- Collection: Service Object
- Schema Attributes
- service_object:
- service_objects:
- service_object.name:
- service_object.uuid:
- service_object.custom:
- service_object.icmp:
- service_object.igmp:
- service_object.tcp:
- service_object.tcp.begin:
- service_object.tcp.end:
- service_object.udp:
- service_object.udp.begin:
- service_object.udp.end:
- service_object.gre:
- service_object.esp:
- service_object.6over4:
- service_object.ah:
- service_object.icmpv6:
- service_object.eigrp:
- service_object.ospf:
- service_object.pim:
- service_object.l2tp:
- service_object.ipcomp:
- API: Service Groups
- API: Zones
- Endpoint
- Schema Structure
- Object: Zone
- Collection: Zone
- Schema Attributes
- zone:
- zones:
- zone.name:
- zone.uuid:
- zone.security_type:
- zone.interface_trust:
- zone.auto_generate_access_rules:
- zone.auto_generate_access_rules.allow_from_to_equal:
- zone.auto_generate_access_rules.allow_from_higher:
- zone.auto_generate_access_rules.allow_to_lower:
- zone.auto_generate_access_rules.deny_from_lower:
- zone.client.content_filtering:
- zone.client:
- zone.client.anti_virus:
- zone.gateway_anti_virus:
- zone.intrusion_prevention:
- zone.app_control:
- zone.anti_spyware:
- zone.create_group_vpn:
- zone.ssl_control:
- zone.wireless:
- zone.sslvpn_access:
- zone.wireless.sslvpn_enforcement:
- zone.wireless.sslvpn_enforcement.server:
- zone.wireless.sslvpn_enforcement.server.name:
- zone.wireless.sslvpn_enforcement.server.host:
- zone.wireless.sslvpn_enforcement.service:
- zone.wireless.sslvpn_enforcement.service.name:
- zone.wireless.sslvpn_enforcement.service.protocol:
- zone.wireless.sslvpn_enforcement.service.protocol.name:
- zone.wireless.sslvpn_enforcement.service.protocol.begin:
- zone.wireless.sslvpn_enforcement.service.protocol.end:
- zone.wireless.wifi_sec_enforcement:
- zone.wireless.wifi_sec_enforcement.exception_service:
- zone.wireless.wifi_sec_enforcement.exception_service.name:
- zone.wireless.wifi_sec_enforcement.exception_service.protocol:
- zone.wireless.wifi_sec_enforcement.exception_service.protocol.name:
- zone.wireless.wifi_sec_enforcement.exception_service.protocol.begin:
- zone.wireless.wifi_sec_enforcement.exception_service.protocol.end:
- zone.wireless.wifi_sec_for_site_to_site_vpn:
- zone.wireless.trust_wpa_traffic_as_wifi_sec:
- zone.wireless.only_sonicpoint_traffic:
- zone.guest_services:
- zone.guest_services.inter_guest:
- zone.guest_services.bypass:
- zone.guest_services.bypass.client:
- zone.guest_services.bypass.client.anti_virus:
- zone.guest_services.bypass.client.content_filtering:
- zone.guest_services.external_auth:
- zone.guest_services.external_auth.client_redirect:
- zone.guest_services.external_auth.web_server:
- zone.guest_services.external_auth.web_server.protocol:
- zone.guest_services.external_auth.web_server.name:
- zone.guest_services.external_auth.web_server.port:
- zone.guest_services.external_auth.web_server.timeout:
- zone.guest_services.external_auth.message_auth:
- zone.guest_services.external_auth.message_auth.method:
- zone.guest_services.external_auth.message_auth.shared_secret:
- zone.guest_services.external_auth.message_auth.confirm_secret:
- zone.guest_services.external_auth.social_network:
- zone.guest_services.external_auth.social_network.facebook:
- zone.guest_services.external_auth.social_network.google:
- zone.guest_services.external_auth.social_network.twitter:
- zone.guest_services.external_auth.auth_pages:
- zone.guest_services.external_auth.auth_pages.login:
- zone.guest_services.external_auth.auth_pages.expiration:
- zone.guest_services.external_auth.auth_pages.timeout:
- zone.guest_services.external_auth.auth_pages.max_sessions:
- zone.guest_services.external_auth.auth_pages.traffic_exceeded:
- zone.guest_services.external_auth.web_content:
- zone.guest_services.external_auth.web_content.redirect:
- zone.guest_services.external_auth.web_content.redirect.use_default:
- zone.guest_services.external_auth.web_content.redirect.custom:
- zone.guest_services.external_auth.web_content.server_down:
- zone.guest_services.external_auth.web_content.server_down.use_default:
- zone.guest_services.external_auth.web_content.server_down.custom:
- zone.guest_services.external_auth.logout_expired:
- zone.guest_services.external_auth.logout_expired.every:
- zone.guest_services.external_auth.logout_expired.cgi:
- zone.guest_services.external_auth.status_check:
- zone.guest_services.external_auth.status_check.every:
- zone.guest_services.external_auth.status_check.cgi:
- zone.guest_services.external_auth.session_sync:
- zone.guest_services.external_auth.session_sync.every:
- zone.guest_services.external_auth.session_sync.cgi:
- zone.guest_services.policy_page_non_authentication:
- zone.guest_services.policy_page_non_authentication.guest_usage_policy:
- zone.guest_services.custom_auth_page:
- zone.guest_services.custom_auth_page.header:
- zone.guest_services.custom_auth_page.header.text:
- zone.guest_services.custom_auth_page.header.url:
- zone.guest_services.custom_auth_page.footer:
- zone.guest_services.custom_auth_page.footer.text:
- zone.guest_services.custom_auth_page.footer.url:
- zone.guest_services.post_auth:
- zone.guest_services.bypass_guest_auth:
- zone.guest_services.bypass_guest_auth.all:
- zone.guest_services.bypass_guest_auth.name:
- zone.guest_services.bypass_guest_auth.group:
- zone.guest_services.bypass_guest_auth.mac:
- zone.guest_services.smtp_redirect:
- zone.guest_services.smtp_redirect.name:
- zone.guest_services.smtp_redirect.host:
- zone.guest_services.deny_networks:
- zone.guest_services.deny_networks.name:
- zone.guest_services.deny_networks.group:
- zone.guest_services.deny_networks.mac:
- zone.guest_services.deny_networks.fqdn:
- zone.guest_services.deny_networks.host:
- zone.guest_services.deny_networks.range:
- zone.guest_services.deny_networks.range.begin:
- zone.guest_services.deny_networks.range.end:
- zone.guest_services.deny_networks.network:
- zone.guest_services.deny_networks.network.subnet:
- zone.guest_services.deny_networks.network.mask:
- zone.guest_services.deny_networks.ipv6:
- zone.guest_services.deny_networks.ipv6.host:
- zone.guest_services.deny_networks.ipv6.range:
- zone.guest_services.deny_networks.ipv6.range.begin:
- zone.guest_services.deny_networks.ipv6.range.end:
- zone.guest_services.deny_networks.ipv6.network:
- zone.guest_services.deny_networks.ipv6.network.subnet:
- zone.guest_services.deny_networks.ipv6.network.mask:
- zone.guest_services.pass_networks:
- zone.guest_services.pass_networks.name:
- zone.guest_services.pass_networks.group:
- zone.guest_services.pass_networks.mac:
- zone.guest_services.pass_networks.fqdn:
- zone.guest_services.pass_networks.host:
- zone.guest_services.pass_networks.range:
- zone.guest_services.pass_networks.range.begin:
- zone.guest_services.pass_networks.range.end:
- zone.guest_services.pass_networks.network:
- zone.guest_services.pass_networks.network.subnet:
- zone.guest_services.pass_networks.network.mask:
- zone.guest_services.pass_networks.ipv6:
- zone.guest_services.pass_networks.ipv6.host:
- zone.guest_services.pass_networks.ipv6.range:
- zone.guest_services.pass_networks.ipv6.range.begin:
- zone.guest_services.pass_networks.ipv6.range.end:
- zone.guest_services.pass_networks.ipv6.network:
- zone.guest_services.pass_networks.ipv6.network.subnet:
- zone.guest_services.pass_networks.ipv6.network.mask:
- zone.guest_services.max_guests:
- zone.guest_services.dynamic_address_translation:
- API: DNS
- Endpoint
- Schema Structure
- Object: DNS
- Schema Attributes
- dns:
- dns.server:
- dns.server.inherit:
- dns.server.static:
- dns.server.static.primary:
- dns.server.static.secondary:
- dns.server.static.tertiary:
- dns.server.ipv6:
- dns.server.ipv6.preferred:
- dns.server.ipv6.inherit:
- dns.server.ipv6.static:
- dns.server.ipv6.static.primary:
- dns.server.ipv6.static.secondary:
- dns.server.ipv6.static.tertiary:
- dns.rebinding:
- dns.rebinding.action:
- dns.rebinding.allowed_domains:
- dns.rebinding.allowed_domains.name:
- dns.rebinding.allowed_domains.group:
- dns.fqdn_binding:
- API: Interfaces – IPv4
- Endpoint
- Schema Structure
- Object: Interface – IPv4
- Collection: Interface – IPv4
- Schema Attributes
- interface:
- interfaces:
- interface.ipv4:
- interface.ipv4.name:
- interface.ipv4.comment:
- interface.ipv4.ip_assignment:
- interface.ipv4.ip_assignment.zone:
- interface.ipv4.ip_assignment.mode:
- interface.ipv4.ip_assignment.mode.static:
- interface.ipv4.ip_assignment.mode.static.ip:
- interface.ipv4.ip_assignment.mode.static.netmask:
- interface.ipv4.ip_assignment.mode.static.gateway:
- interface.ipv4.ip_assignment.mode.static.dns:
- interface.ipv4.ip_assignment.mode.static.dns.primary:
- interface.ipv4.ip_assignment.mode.static.dns.secondary:
- interface.ipv4.ip_assignment.mode.static.dns.tertiary:
- interface.ipv4.ip_assignment.mode.static.backup_ip:
- interface.ipv4.ip_assignment.mode.dhcp:
- interface.ipv4.ip_assignment.mode.dhcp.hostname:
- interface.ipv4.ip_assignment.mode.dhcp.renew_on_startup:
- interface.ipv4.ip_assignment.mode.dhcp.renew_on_link_up:
- interface.ipv4.ip_assignment.mode.dhcp.initiate_renewals_with_discover:
- interface.ipv4.ip_assignment.mode.dhcp.force_discover_interval:
- interface.ipv4.mtu:
- interface.ipv4.mac:
- interface.ipv4.mac.default:
- interface.ipv4.mac.override:
- interface.ipv4.link_speed:
- interface.ipv4.link_speed.auto_negotiate:
- interface.ipv4.link_speed.half:
- interface.ipv4.link_speed.full:
- interface.ipv4.management:
- interface.ipv4.management.http:
- interface.ipv4.management.https:
- interface.ipv4.management.ping:
- interface.ipv4.management.snmp:
- interface.ipv4.management.ssh:
- interface.ipv4.user_login:
- interface.ipv4.user_login.http:
- interface.ipv4.user_login.https:
- interface.ipv4.https_redirect:
- interface.ipv4.send_icmp_fragmentation:
- interface.ipv4.fragment_packets:
- interface.ipv4.ignore_df_bit:
- interface.ipv4.flow_reporting:
- interface.ipv4.multicast:
- interface.ipv4.cos_8021p:
- interface.ipv4.exclude_route:
- interface.ipv4.asymmetric_route:
- interface.ipv4.shutdown_port:
- interface.ipv4.default_8021p_cos:
- interface.ipv4.policy:
- interface.ipv4.sonicpoint:
- interface.ipv4.sonicpoint.limit:
- interface.ipv4.sonicpoint.reserve_address:
- interface.ipv4.sonicpoint.reserve_address.dynamic:
- interface.ipv4.sonicpoint.reserve_address.manual:
- API: NAT Policies – IPv4
- Endpoint
- Schema Structure
- Object: NAT Policies – IPv4
- Collection: NAT Policies – IPv4
- Schema Attributes
- nat_policy:
- nat_policies:
- nat_policy.ipv4:
- nat_policy.ipv4.inbound:
- nat_policy.ipv4.outbound:
- nat_policy.ipv4.source:
- nat_policy.ipv4.source.any:
- nat_policy.ipv4.source.name:
- nat_policy.ipv4.source.group:
- nat_policy.ipv4.translated_source:
- nat_policy.ipv4.translated_source.original:
- nat_policy.ipv4.translated_source.name:
- nat_policy.ipv4.translated_source.group:
- nat_policy.ipv4.destination:
- nat_policy.ipv4.destination.any:
- nat_policy.ipv4.destination.name:
- nat_policy.ipv4.destination.group:
- nat_policy.ipv4.translated_destination:
- nat_policy.ipv4.translated_destination.original:
- nat_policy.ipv4.translated_destination.name:
- nat_policy.ipv4.translated_destination.group:
- nat_policy.ipv4.service:
- nat_policy.ipv4.service.any:
- nat_policy.ipv4.service.name:
- nat_policy.ipv4.service.group:
- nat_policy.ipv4.translated_service:
- nat_policy.ipv4.translated_service.original:
- nat_policy.ipv4.translated_service.name:
- nat_policy.ipv4.translated_service.group:
- nat_policy.ipv4.uuid:
- nat_policy.ipv4.name:
- nat_policy.ipv4.enable:
- nat_policy.ipv4.comment:
- nat_policy.ipv4.priority:
- nat_policy.ipv4.priority.auto:
- nat_policy.ipv4.priority.manual:
- nat_policy.ipv4.reflexive:
- nat_policy.ipv4.virtual_group:
- nat_policy.ipv4.virtual_group.any:
- nat_policy.ipv4.virtual_group.id:
- nat_policy.ipv4.nat_method:
- nat_policy.ipv4.source_port_remap:
- nat_policy.ipv4.high_availability:
- nat_policy.ipv4.high_availability.probing:
- nat_policy.ipv4.high_availability.probing.probe_every:
- nat_policy.ipv4.high_availability.probing.probe_type:
- nat_policy.ipv4.high_availability.probing.probe_type.icmp_ping:
- nat_policy.ipv4.high_availability.probing.probe_type.tcp:
- nat_policy.ipv4.high_availability.probing.reply_timeout:
- nat_policy.ipv4.high_availability.probing.deactivate_after:
- nat_policy.ipv4.high_availability.probing.reactivate_after:
- nat_policy.ipv4.high_availability.probing.port_probing:
- nat_policy.ipv4.high_availability.probing.rst_as_miss:
- API: NAT Policies – IPv6
- Endpoint
- Schema Structure
- Object: NAT Policies – IPv6
- Schema Attributes
- nat_policy:
- nat_policies:
- nat_policy.ipv6:
- nat_policy.ipv6.inbound:
- nat_policy.ipv6.outbound:
- nat_policy.ipv6.source:
- nat_policy.ipv6.source.any:
- nat_policy.ipv6.source.name:
- nat_policy.ipv6.source.group:
- nat_policy.ipv6.translated_source:
- nat_policy.ipv6.translated_source.original:
- nat_policy.ipv6.translated_source.name:
- nat_policy.ipv6.translated_source.group:
- nat_policy.ipv6.destination:
- nat_policy.ipv6.destination.any:
- nat_policy.ipv6.destination.name:
- nat_policy.ipv6.destination.group:
- nat_policy.ipv6.translated_destination:
- nat_policy.ipv6.translated_destination.original:
- nat_policy.ipv6.translated_destination.name:
- nat_policy.ipv6.translated_destination.group:
- nat_policy.ipv6.service.any:
- nat_policy.ipv6.service.name:
- nat_policy.ipv6.service.group:
- nat_policy.ipv6.translated_service:
- nat_policy.ipv6.translated_service.original:
- nat_policy.ipv6.translated_service.name:
- nat_policy.ipv6.translated_service.group:
- nat_policy.ipv6.uuid:
- nat_policy.ipv6.name:
- nat_policy.ipv6.enable:
- nat_policy.ipv6.comment:
- nat_policy.ipv6.priority:
- nat_policy.ipv6.priority.auto:
- nat_policy.ipv6.priority.manual:
- nat_policy.ipv6.reflexive:
- nat_policy.ipv6.virtual_group:
- nat_policy.ipv6.virtual_group.any:
- nat_policy.ipv6.virtual_group.id:
- API: NAT Policies – NAT64
- Endpoint
- Schema Structure
- Object: NAT Policies – NAT64
- Collection: NAT Policies – NAT64
- Schema Attributes
- nat_policy:
- nat_policies:
- nat_policy.nat64:
- nat_policy.nat64.inbound:
- nat_policy.nat64.outbound:
- nat_policy.nat64.source:
- nat_policy.nat64.source.any:
- nat_policy.nat64.source.name:
- nat_policy.nat64.source.group:
- nat_policy.nat64.translated_source:
- nat_policy.nat64.translated_source.original:
- nat_policy.nat64.translated_source.name:
- nat_policy.nat64.translated_source.group:
- nat_policy.nat64.pref64:
- nat_policy.nat64.pref64.any:
- nat_policy.nat64.pref64.name:
- nat_policy.nat64.pref64.group:
- nat_policy.nat64.translated_destination:
- nat_policy.nat64.translated_destination.embedded_ipv4_address:
- nat_policy.nat64.service:
- nat_policy.nat64.service.icmp_udp_tcp:
- nat_policy.nat64.translated_service:
- nat_policy.nat64.translated_service.original:
- nat_policy.nat64.uuid:
- nat_policy.nat64.name:
- nat_policy.nat64.enable:
- nat_policy.nat64.comment:
- API: Access Rules – IPv4
- Endpoint
- Schema Structure
- Object: Access Rules – IPv4
- Collection: Access Rules – IPv4
- Schema Attributes
- access_rule:
- access_rules:
- access_rule.ipv4:
- access_rule.ipv4.from:
- access_rule.ipv4.to:
- access_rule.ipv4.action:
- access_rule.ipv4.source:
- access_rule.ipv4.source.address:
- access_rule.ipv4.source.address.any:
- access_rule.ipv4.source.address.name:
- access_rule.ipv4.source.address.group:
- access_rule.ipv4.source.port:
- access_rule.ipv4.source.port.any:
- access_rule.ipv4.source.port.name:
- access_rule.ipv4.source.port.group:
- access_rule.ipv4.service:
- access_rule.ipv4.service.any:
- access_rule.ipv4.service.name:
- access_rule.ipv4.service.group:
- access_rule.ipv4.destination:
- access_rule.ipv4.destination.address:
- access_rule.ipv4.destination.address.any:
- access_rule.ipv4.destination.address.name:
- access_rule.ipv4.destination.address.group:
- access_rule.ipv4.schedule:
- access_rule.ipv4.schedule.always_on:
- access_rule.ipv4.schedule.name:
- access_rule.ipv4.users:
- access_rule.ipv4.users.included:
- access_rule.ipv4.users.included.all:
- access_rule.ipv4.users.included.guests:
- access_rule.ipv4.users.included.administrator:
- access_rule.ipv4.users.included.name:
- access_rule.ipv4.users.included.group:
- access_rule.ipv4.users.excluded:
- access_rule.ipv4.users.excluded.none:
- access_rule.ipv4.users.excluded.guests:
- access_rule.ipv4.users.excluded.administrator:
- access_rule.ipv4.users.excluded.name:
- access_rule.ipv4.users.excluded.group:
- access_rule.ipv4.uuid:
- access_rule.ipv4.name:
- access_rule.ipv4.comment:
- access_rule.ipv4.enable:
- access_rule.ipv4.reflexive:
- access_rule.ipv4.max_connections:
- access_rule.ipv4.logging:
- access_rule.ipv4.management:
- access_rule.ipv4.packet_monitoring:
- access_rule.ipv4.priority:
- access_rule.ipv4.priority.auto:
- access_rule.ipv4.priority.manual:
- access_rule.ipv4.tcp:
- access_rule.ipv4.tcp.timeout:
- access_rule.ipv4.udp:
- access_rule.ipv4.udp.timeout:
- access_rule.ipv4.fragments:
- access_rule.ipv4.botnet_filter:
- access_rule.ipv4.connection_limit:
- access_rule.ipv4.connection_limit.destination:
- access_rule.ipv4.connection_limit.destination.threshold:
- access_rule.ipv4.connection_limit.source:
- access_rule.ipv4.connection_limit.source.threshold:
- access_rule.ipv4.flow_reporting:
- access_rule.ipv4.geo_ip_filter:
- access_rule.ipv4.single_sign_on:
- access_rule.ipv4.cos_override:
- access_rule.ipv4.quality_of_service:
- access_rule.ipv4.quality_of_service.class_of_service:
- access_rule.ipv4.quality_of_service.class_of_service.explicit:
- access_rule.ipv4.quality_of_service.class_of_service.map:
- access_rule.ipv4.quality_of_service.class_of_service.preserve:
- access_rule.ipv4.quality_of_service.dscp:
- access_rule.ipv4.quality_of_service.dscp.explicit:
- access_rule.ipv4.quality_of_service.dscp.map:
- access_rule.ipv4.quality_of_service.dscp.preserve:
- API: Access Rules – IPv6
- Endpoint
- Schema Structure
- Object: Access Rules – IPv6
- Collection: Access Rules – IPv6
- Schema Attributes
- access_rule:
- access_rules:
- access_rule.ipv6:
- access_rule.ipv6.from:
- access_rule.ipv6.to:
- access_rule.ipv6.action:
- access_rule.ipv6.source:
- access_rule.ipv6.source.address:
- access_rule.ipv6.source.address.any:
- access_rule.ipv6.source.address.name:
- access_rule.ipv6.source.address.group:
- access_rule.ipv6.source.port:
- access_rule.ipv6.source.port.any:
- access_rule.ipv6.source.port.name:
- access_rule.ipv6.source.port.group:
- access_rule.ipv6.service:
- access_rule.ipv6.service.any:
- access_rule.ipv6.service.name:
- access_rule.ipv6.destination:
- access_rule.ipv6.destination.address:
- access_rule.ipv6.destination.address.any:
- access_rule.ipv6.destination.address.name:
- access_rule.ipv6.destination.address.group:
- access_rule.ipv6.schedule:
- access_rule.ipv6.schedule.always_on:
- access_rule.ipv6.schedule.name:
- access_rule.ipv6.users:
- access_rule.ipv6.users.included:
- access_rule.ipv4.users.included.all:
- access_rule.ipv6.users.included.guests:
- access_rule.ipv6.users.included.administrator:
- access_rule.ipv6.users.included.name:
- access_rule.ipv6.users.included.group:
- access_rule.ipv6.users.excluded:
- access_rule.ipv6.users.excluded.none:
- access_rule.ipv6.users.excluded.guests:
- access_rule.ipv6.users.excluded.administrator:
- access_rule.ipv6.users.excluded.name:
- access_rule.ipv6.users.excluded.group:
- access_rule.ipv6.uuid:
- access_rule.ipv6.name:
- access_rule.ipv6.comment:
- access_rule.ipv6.enable:
- access_rule.ipv6.reflexive:
- access_rule.ipv6.max_connections:
- access_rule.ipv6.logging:
- access_rule.ipv6.management:
- access_rule.ipv6.packet_monitoring:
- access_rule.ipv6.priority:
- access_rule.ipv6.priority.auto:
- access_rule.ipv6.priority.manual:
- access_rule.ipv6.tcp:
- access_rule.ipv6.tcp.timeout:
- access_rule.ipv6.udp:
- access_rule.ipv6.udp.timeout:
- access_rule.ipv6.fragments:
- access_rule.ipv6.botnet_filter:
- access_rule.ipv6.connection_limit:
- access_rule.ipv6.connection_limit.destination:
- access_rule.ipv6.connection_limit.destination.threshold:
- access_rule.ipv6.connection_limit.source:
- access_rule.ipv6.connection_limit.source.threshold:
- access_rule.ipv6.flow_reporting:
- access_rule.ipv6.geo_ip_filter:
- access_rule.ipv6.single_sign_on:
- access_rule.ipv6.cos_override:
- access_rule.ipv6.quality_of_service:
- access_rule.ipv6.quality_of_service.class_of_service:
- access_rule.ipv6.quality_of_service.class_of_service.explicit:
- access_rule.ipv6.quality_of_service.class_of_service.map:
- access_rule.ipv6.quality_of_service.class_of_service.preserve:
- access_rule.ipv6.quality_of_service.dscp:
- access_rule.ipv6.quality_of_service.dscp.explicit:
- access_rule.ipv6.quality_of_service.dscp.map:
- access_rule.ipv6.quality_of_service.dscp.preserve:
- API: Route Policies – IPv4
- Endpoint
- Schema Structure
- Object: Route Policies – IPv4
- Collection: Route Policies – IPv4
- Schema Attributes
- route_policy:
- route_policies:
- route_policy.ipv4:
- route_policy.ipv4.interface:
- route_policy.ipv4.metric:
- route_policy.ipv4.source:
- route_policy.ipv4.source.any:
- route_policy.ipv4.source.name:
- route_policy.ipv4.source.group:
- route_policy.ipv4.destination:
- route_policy.ipv4.destination.any:
- route_policy.ipv4.destination.name:
- route_policy.ipv4.destination.group:
- route_policy.ipv4.service:
- route_policy.ipv4.service.any:
- route_policy.ipv4.service.name:
- route_policy.ipv4.service.group:
- route_policy.ipv4.gateway:
- route_policy.ipv4.gateway.default:
- route_policy.ipv4.gateway.name:
- route_policy.ipv4.gateway.host:
- route_policy.ipv4.uuid:
- route_policy.ipv4.name:
- route_policy.ipv4.disable_on_interface_down:
- route_policy.ipv4.vpn_precedence:
- route_policy.ipv4.auto_add_access_rules:
- route_policy.ipv4.probe:
- route_policy.ipv4.disable_when_probes_succeed:
- route_policy.ipv4.default_probe_state_up:
- route_policy.ipv4.comment:
- route_policy.ipv4.tcp_acceleration:
- route_policy.ipv4.wxa_group:
- API: Route Policies – IPv6
- Endpoint
- Schema Structure
- Object: Route Policies – IPv6
- Collection: Route Policies – IPv6
- Schema Attributes
- route_policy:
- route_policies:
- route_policy.ipv6:
- route_policy.ipv6.interface:
- route_policy.ipv6.metric:
- route_policy.ipv6.source:
- route_policy.ipv6.source.any:
- route_policy.ipv6.destination.name:
- route_policy.ipv6.destination.group:
- route_policy.ipv6.service:
- route_policy.ipv6.service.any:
- route_policy.ipv6.service.name:
- route_policy.ipv6.service.group:
- route_policy.ipv6.gateway:
- route_policy.ipv6.gateway.default:
- route_policy.ipv6.gateway.name:
- route_policy.ipv6.gateway.host:
- route_policy.ipv6.uuid:
- route_policy.ipv6.name:
- route_policy.ipv6.disable_on_interface_down:
- route_policy.ipv6.vpn_precedence:
- route_policy.ipv6.auto_add_access_rules:
- route_policy.ipv6.probe:
- route_policy.ipv6.disable_when_probes_succeed:
- route_policy.ipv6.default_probe_state_up:
- SonicWall Support
Public Key Challenge/Response
The public key exchange utilizes the WWW-Authenticate and Authorization HTTP headers, compliant with the access authentication framework specified in RFC-7235 section 2, and with their auth-scheme specifying SNWL-PK-AUTH.
A client must first invoke a challenge from the firewall by making a request to /api/sonicos/auth. Any method can be used for this, but it is suggested that a POST be used if the override parameter is to be set, or otherwise a HEAD request since no request data content is involved. This solicits a response as follows:
HTTP/1.0 401 Unauthorized
Server: SonicWall
WWW-Authenticate: SNWL-PK-AUTH type=RSA, key="..."
An exception for authentication is with CHAP authenticated via RADIUS, but it is not compatible with then doing session security.
The client will then need to resend the request to /api/sonicos/auth with an Authorization header as follows:
Authorization: SNWL-PK-AUTH user="admin", data="..."
The content of the key field in the challenge is the RSA public key, in ASN.1 type RSAPublicKey format (see RFC-3447 section A.1.1) and base64-encoded. This is what comes between the BEGIN and END markers in an RSA key in a .pem file, concatenated into a single line (with the BEGIN/END markers not included). For example with this RSA key:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdzKnaH+K2kfpHE2U7SDsbZMpd
Qu8vEYIdDlqrQx7BzQpfBGVy5CbTsJn+RiGPNYjtFAL+7Qux4wqc6aOnpWJoY/
BiBmoEKRumBOd2VJBr599yllfqQbXPwQEd9euWTlvaD7G+OhIWFMCnPRIOFkZxwc
1v+Aqq8FY/A/nMYPYwIDAQAB
-----END PUBLIC KEY-----
It would be the string “MIGfMA0G...YwIDAQAB”. The client can take this string and save it as a .pem file, enclosed in ----- BEGIN PUBLIC KEY----- / -----END PUBLIC KEY----- header/footer. That can then be used with openssl’s command-line RSA utility to encrypt a password using openssl by either of:
echo -n password | openssl rsautl -encrypt -pubin -inkey key-file.pem | base64 -w 0
echo -n password | openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:pkcs1 -pubin \ -inkey key-file.pem | base64 -w 0
Or if PKCS#1 v2.0 OAEP padding is selected (see below) by any one of:
echo -n password | openssl rsautl -encrypt -oaep -pubin -inkey key-file.pem | base64 -w 0
echo -n password | openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pubin \ -inkey key-file.pem | base64 -w 0
echo -n password | openssI pkeyutI -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt \ rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -pubin _inkey key-file.pem | base64 -w 0
The “openssl rsautl” is now deprecated and using “openssl pkeyutl” is preferred. In the case of OAEP, the first two forms above both use SHA-1 for the hashes in the OAEP padding, and the third form needs to be used for other hashing methods (such as SHA-256, as in the above example). Note that the latter is not supported in all SonicOS version.
The data field in the response holds the cipher data (encrypted password), base64-encoded (as output by the above commands).
The string could be piped through "fold -w 64" to break it into 64-character lines, as in the example above, but that is not necessary and a .pem file with a single long line between the header/footer lines works fine.
The following is an example bash script to send a public key authentication request to the firewall, extract the public key from the WWW-Authenticate challenge in the reply, use that to encrypt the password (with OAEP padding using SHA-256) and then send the response back to the firewall:
curl -k -i -s -X POST https://$ADDR/api/sonicos/auth | grep 'WWW-Authenticate: SNWL-PK-AUTH' \
| sed -e 's/^.*key="/-----BEGIN PUBLIC KEY-----\n/' \ -e 's/"/\n-----END PUBLIC KEY-----/' >pk.pem
CIPHER=$(echo -n "$PASSWORD" | openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep \
-pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -pubin -inkey pk.pem \
| base64 -w 0)
curl -k -i -s -H 'Authorization: SNWL-PK-AUTH user="'$USERNAME'", data="'$CIPHER'"' \
-X POST https://192.168.168.32/api/sonicos/auth
Was This Article Helpful?
Help us to improve our support portal