SonicOS-API 6.5 Geo-IP
CTaylor
Newbie ✭
Is there an issue with the /geo-ip endpoint?
I am able to get this endpoint to work as documented for 7.0 devices but cant seem to get it to work in 6.5 with documentation.
Using a TZ300 on SonicOS Enhanced 6.5.4.8-89n for testing but have looked at other models/firmware and seems to be the same.
If I try to follow the links to API documentation it takes me to 7.0 documentation but that doesn't work.
If I use an older firmware version in the URL I get the 6.5 documentation but the endpoint is not working as expected.
GET is not returning all fields listed.
Example of missing data:
- geo_ip/block/connections
- geo_ip/block/database_not_downloaded
PUT unable to set with body documented
{
"geo_ip": {
"logging": true,
"block": {
"connections": {
"all": true
},
"countries": {
"unknown": false
},
"country": [
{
"name": "Anonymous Proxy/Private IP"
},
{
"name": "Satellite Provider"
}
]
},
"custom_list": {
"enable": true,
"override_countries": true
}
}
}
Am I just doing something wrong or is there an issue with this endpoint/documentation on 6.5 or this firmware version?
Category: Developer Hub
0
Answers
Hi @CTaylor,
I’ll take a deeper look tomorrow, but from a quick test on my end using a TZ 400 running 6.5.4.8, I am seeing those items you noted were missing in your firewall’s response data. That was the case until I disabled Geo-IP. From then on, I am missing some of the expected data in the response—even after re-enabling Geo-IP.
Hello @CTaylor,
Even after working with the firewall for a while and subsequently rebooting it, I couldn't get the API response to include the missing details. I was very confident I saw the details previously in the API response as I mentioned yesterday, but now I'm questioning my sanity 😃. I reported the behavior to our Engineering team.
Thanks!
Thank you for looking into this issue @Jaime. I anxiously await a resolution.
Hi @CTaylor,
Engineering addressed the issue and targeted the fix for an upcoming 6.5.4.x Maintenance Release.
Thanks.
Jaime
After updating to the 6.5.4.13-105n firmware I am not able to get all expected fields with a GET to
/geo-ipI am still having issues with PUT. I am unable to enable\configure geo-ip settings. Getting a (400) Bad Request error.
Here is a sample of what I am PUT'n
PUT
https://<SONICWALL>/api/sonicos/geo-ip{ "geo_ip": { "logging": true, "block": { "connections": { "all": true }, "countries": { "unknown": false }, "country": [ { "name": "Anonymous Proxy/Private IP" }, { "name": "Satellite Provider" } ] }, "custom_list": { "enable": true, "override_countries": true } } }After updating to the 6.5.4.13-105n firmware I am
notable to get all expected fields with a GET to /geo-ipSorry I AM able to get information from GET endpoint /geo-ip. Things look to be fixed with the GET but still having issues modifying settings.
Hi @CTaylor, can you confirm the JSON you received from the GET? I just want to make sure the JSON is complete. I'm not seeing any evidence that the fix made it into a release. I'm trying to get confirmation. Going with the assumption that the GET is incomplete, if you PUT back a modified version of what you GET, it would likely fail since the initial GET was incomplete. I'm booting 6.5.4.13 on my TZ 400 to try it out myself.
Just got a confirmation the fix is not in 6.5.4.13.
You are correct I was mistaken. Notes in code differed from what I posted.
I am still missing the information referenced.
Bellow is the info referenced.
{ "geo_ip": { "block": { "countries": "@{unknown=False}" }, "logging": false, "exclude": { "group": "Default Geo-IP and Botnet Exclusion Group" }, "include": { "block_details": true }, "alert_text": "This site has been blocked by the network administrator.", "logo_icon": { "data": "data:image/gif;base64,R0lGODlhlgAoALMAAPHw8Dw8PNLS06mqqpSVlvRvJvqaZfu2j3V1doSEhuHh4rm6uv3Uv8TFxWVmaP///yH5BAAAAAAALAAAAACWACgAAAT/8MlJKSAuo1XnRdoAdMLQSYojTAlxKgToIIQiLbNbJeBINbkfgnZ68BLFGMI3GSwGuqLUk1k0FhhkBecgDAaJzIoicHA6qcbEoaUMMolv2PxIZZj1DJ0iO0vmDngTIAhFc4ICV1FTUkMVCiZuDiIUCmFqE3ZjlQ6YDwhtEhiUFBh/VZJwFnqcepEVIKGldx2CjEWdjGWvO4GZejacnqAUOH6PI1yhgL43GYtveoUdYbITGM232hSTjI5SXb8NYXhpg6FstwB6PnZ6fnObn2zY8hKxSbTb+w8Y9sJTTKFwYCMDwHttyvw7ge0Mlxjp8swgg+oZtYgdsNniF/BZA0FA/4IVCTmQQ4o25u5FebOxA5CIhzQ+4MJL5iFYGCvI5LhPADY2InG0lEAyD6YyOlJ+avNmH6sHFrlwmCMSasSXx4zknJWN5z4AC0AEK1pE6EBPQEwoJeZsqE4xZXLZIbBu4gSsAADYkYWPoT6vPL+t43VRnKQVuRD+yiolboKbWmlkiATgQIHLmDMbMMDg3tZrfwHzw8HCQeM9Rt/iGLYIxD4ZFp3p8WUgs+3aRAZ9FmVQ9BTGWqlMe5RTaWkV5zgtKoYnmhgqepBYtl2As4SnpxAo0KtAJLbu27f75oZ8wupWHyUAeLPkIM5NbO/OkCfAdavex3NRP1Ah2rDZemDy0/9shIlmCRx91MJMbJwAt44fdpEhwxAaVOVZOMWw80BtmNlS13AAvnNKiMuNBwkBXlhYCRZObATJQg8IsIkTRZSA4gAwljCAhevR+AADmHV2whOkEEnkF2N94YSSMI7n5JNQdsChW1FWaeWV49VmAJZcduklT5bx9+WYZJb5YwFimqnmmlEeICSbcMYp55x01mnnnXjmqeeefPbp55+ABirooGvmReg2VHq1wDENNDleGEWAlaKTF6jIyAKWMhJHP45+hUAAwxQIZQy4EFDCcL516lIA1tyyqQCJarNOAgH4gICoDzQQgG88nKArlxto81itHG1apQq9fhKJTzjm+mn/DZE0esMIzGLSKI6mQCKSAAHsWAkUaHmxwgIjrFdHAw2IsCN7OGKiQFYK7IqhAuh6Ue6OKAbjxUw2nEhurunWoB4U/56oxjqw0nHrA28kEgCsAwTQHbEBLJECwyoAwQEIH/EQL2ERB+BLCgvs0g9BAywx8q661gCAxLvQ64uxa7igazLdllBrvAkk0s2mCn+EolU+53WrAAlgasYuCOcqMdAffeD0dYveAcYDD0vArbKiiJzjHQQkkBcQ64hUdh21/iqBxJ9wgPDZmUg8QrczNcPGyz6UYYQJdJQRQMWfuFA2adeIDQDZ5c0hwgw8DK32ArQymwvbaLfdNWon1EoA4augJJACE59X3sA0L9sQbD8EjL4DKJ2bFhYL2u2qtWn7ghrvCkBYDtWppXD+2O6D0J1sAmqo/bJp3MqeLDEICLgE3fKNgAEAZYzwBVSFQAKVGpuDNRzbe8SLOdwPlK4rB9wKEK8OxEAdb0GFnK5CvGqUXD3DfG/yciSbB6DDOqDiGlT+1z8tEE8UhdifB2jFqmAs4G/NYKALkre5XLWBbbqSnQOI1QTTUKAFXPjbCtb3Nx3sKxchS5kRMIGAEUKwfhCM1aFcVaKyoKpyM/wT3rahukrILod82hyufCWLeI0pAgA7" }, "custom_list": { "enable": false, "override_countries": false } } }We are almost a year from the original post should I assume a these 6.5 API issues are never making it to a maintenance release?
I still have hundreds of these 6.5 devices that I have to manage and they are all still under Software and Firmware support.
Do I just need to rely on cli commands to do a lot of these functions? I don't want to go back to cli hell ;(
Unfortunately, since the Gen6 API is technically not complete, the CLI is sometimes the only way to accomplish the task. The /direct/cli endpoint provides an entry for CLI commands over the API. I understand it isn't ideal, but it is a potential workaround that could help you accomplish the task in the short term. I've shared your comments and this thread for visibility.