Function list_firewallrules returning empty

[Olivier6767]

Using Unifi_Api_Client vers 2.0.4 with UDM Pro with Unifi OS 4.1.13 and Unifi Network Application 9.0.108.

I have switched the firewall to use the new Zones model.
I had a few custom firewall rules before the switch. These rules still exist after the switch. They have ID 10000 and 10001.
When using list_firewallrules, it comes up empty. This was working before.

I checked with the latest API Browser but it returns empty as well.

Can this be fixed?

[malle-pietje]

TBH I have not yet spent time on the new Zone-based firewall and what implications are when migrating to it. I may be able to spend some time on this in the coming weeks, otherwise maybe someone else can chip in?

[huglester]

Maybe you had time to look into this?
Thanks.

[thib3113]

Hi,

I got this problem, and here is the way I do it (in nodejs) .

-> First retrieve /proxy/network/v2/api/site/<site>/site-feature-migration =>
it will return something like :

[
    {
        "_id": "678e2e683452b52d7bd2845c",
        "feature": "ZONE_BASED_FIREWALL",
        "timestamp": 1744317485150
    }
]

-> if you found a feature ZONE_BASED_FIREWALL you need to call zones, else firewallrules . ( unifiOS seems to support zones, but not unifi network)

-> then you can call /proxy/network/v2/api/site/<site>/firewall/zone to get the zones

[
    {
        "_id": "67822f683c52d52deba373c6",
        "attr_no_edit": false,
        "default_zone": true,
        "name": "Internal",
        "network_ids": [
            "678e2e683452b52d7bd2845q"
        ],
        "zone_key": "internal"
    }
]

-> then you can get/post/put/delete firewall-policies on /proxy/network/v2/api/site/<site>/firewall-policies

In case, I use it here (in nodejs) : https://github.com/thib3113/unifi-blockips-srv/blob/main/src/Blocker.ts#L40-L78

[huglester]

Using simple curl queries, these are 3 usefull endpoints:

curl -s -k -b cookies.txt https://192.168.101.254/proxy/network/v2/api/site/default/trafficrules | jq -r .
curl -s -k -b cookies.txt https://192.168.101.254/proxy/network/v2/api/site/default/nat | jq -r .
curl -s -k -b cookies.txt https://192.168.101.254/proxy/network/api/s/default/rest/portforward | jq -r .

I am now searching for a method to disable "NAT" rule via API

[huglester]

I believe this issue solves it? #216

[malle-pietje]

Found some time to look into this. For complete listings of firewall policies you appear to need a combination of data returned by these 3 routes:
Firewall Policies:
https://IP_ADDRESS/proxy/network/v2/api/site/default/firewall-policies

Firewall Zones:
https://IP_ADDRESS/proxy/network/v2/api/site/default/firewall/zone

Firewall Zone Matrix:
https://IP_ADDRESS/proxy/network/v2/api/site/default/firewall/zone-matrix

For now developers can use the custom_api_request() method in the Client class. I will try to add methods for these routes/endpoints as soon as I have the time. I will then also look into adding the methods needed to add/edit/delete firewall policies which could be an interesting challenge...

PS: it seems to be expected that list_firewallrule() returns an empty array when you have ZBF enabled. Makes sense I guess.

[malle-pietje]

I believe this issue solves it? #216

IMHO this isn't related to the OP's question.