REST Api and Powerchell Cmdlets
I need to make changes to about 20 firewallrules
Turn logging off, but enable logging for reports
The names for these rules follow a standard, and have a tag.
I would love to be able to just go:
$NeedChanged = Get-WatchguardPolicy | Where {$PSItem.Name -like "branche*" }
Foreach ($policy in $needchanged){
Set-WatchguardPolicy -Name $Policy.name -Logging:$false -LoggingForReports:$true
}
Which should cover both single devices (firebox) but also through management server.
Get-WatchguardPolicy could rely on an object that was captured before.
For instance with "$FW = Get-Firebox -Host 10.0.1.1 -Admin readwrite -Status readread
And $FW could then also be a collection (array) of multiple objects / fireboxes
Then we could do something like:
Get-WatchguardPolicy -FireboxObj $FBArray | Set-WatchguardPolicy -Logging:$false -IPS:$true - WebBlockerPolicy "Default Webblocker"
Powershell Cmdlets would/could rely on a full REST implementation, the latter allows others to build upon that as well.
Watchguard has some unique selling points, but it's things like these that could make a lot of IT nerds incredibly interested in working with Watchguard products.
Even though WSM already allows much faster alterations of configs than competition it's still not as fast as can be. Now imaging being able to do this on 20 devices that you manage and building scripts with conditions etc.
Comments
I really like this idea, but it is a double-edged sword. Imagine how fast your entire network would go down with a single typo. Having managed a very large network of UNIX servers through remote shell-scripts, I have lived through the horror of the "one simple mistake". (Old UNIX admins will remember that sick feeling when you realise, after pressing the enter key, that there is a space in the path name of your rm -r command..)
If WatchGuard were to go down this path, I would like to see an overarching reversal or panic button to revert to a previous working configuration.
Adrian from Australia
I understand what you are saying, and both agree and disagree.
If you need to change 1 AD users name, you just use the ADUC gui and click some buttons.
If you need to make alterations to 2000 AD accounts you script it.
It's also very easy, probably even easier to make mistakes when using a GUI because you have to manually repeat the same action. I've had my share of 'click click change click write... oh shit' moments.
It's an option, not a mandatory use.
And I believe this could be an important, maybe even necessary step for Watchguard. If they want to maintain / gain an edge over their competition.
I see more and more switch manufacturers for instance offer something like a Rest api for switch management. It won't be long until, for instance Juniper decides to also put this in their firewalls. Cisco and HPE both have API's for their switch lineups.
You mention an "undo" option.
This is something that Watchguard could sort of implement, by differentiating between running- and bootconfig. Where you could implement something like and automatic reboot after a certain period unless you cancel the scheduled reboot. Which is what I do on routers or switches if I'm uncertain of the outcome.
Hi @Rolf
We do offer some management via API for devices managed via WatchGuard cloud.
I'd suggest taking a look at the following documentation:
(WatchGuard API Documentation)
https://www.watchguard.com/help/docs/api/Content/en-US/home.html
(Enable API Access)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/mngd-access_enable-API-access.html
-James Carson
WatchGuard Customer Support