GetNetworkFirewallPolicy - not everything in output

[jbcintra]

Hi, I've used the SDK to audit an OCI native Palo Alto firewall, to pull it's config. In checking with our firewall team and producing, it is missing a range of child data in the Policy object - Application list only has the protocol list not ports, URL lists are showing Allow only, not the Urls that have been input.

Testing the API itself via the CLI "oci network-firewall network-firewall-policy get --network-firewall-policy-id **** --profile ****" returns all of the child data, with min/max ports/types for Applications, all Security Rule config, url lists etc.

For UrlLists the JSON object output is showing "Allow": [{}, {}, {}, {}], which gives the right quantity of URLs, just not the values. Is there some additional command/option that's needed for it to pull all of the other data??? I also extract the full loadbalancer configs, which are way more complex/deeper layers, in a single call without issue.

[github-anurag]

@jbcintra
We will take a look into this.
On another note, I see that you provided a profile parameter in the CLI command. Did you use the same profile while running the operation via the Dotnet SDK?

[jbcintra]

@github-anurag
Yes it's the same profile used in both. I've run it in 45.0.0 and 45.1.0, with the same result. I browsed the object in debug mode, so it's not just a json output issue. The properties were empty there too.

[jbcintra]

just checked again, the CLI profile is my account, the SDK is an audit account, used for everything in OCI, and can read most of the policy object. I'll switch and check in case there are further permissions to apply for FW policy child objects??

[github-anurag]

@jbcintra
If that doesn't still work, can you enable TRACE logging to see if the Service sends the info in the response?

See Enabling Logging section at : https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/dotnetsdkgettingstarted.htm

[jbcintra]

just checked with the audit user keys in the CLI (which the SDK uses) and it shows everything in the output

[jbcintra]

@github-anurag
I will split some code out into it's own mini project to add nlog/tracing, as I can't just add that into this entire project.

[github-anurag]

@jbcintra
I got it working in my local setup. Getting the info from a C# response involves a lot more work compared to a CLI response unfortunately.

Can you try modifying how you use the response a bit to match what I have :-

 using (client = new NetworkFirewallClient(provider))
                {
                    var response = await client.GetNetworkFirewallPolicy(
                        new GetNetworkFirewallPolicyRequest
                        {
                            NetworkFirewallPolicyId = policyId
                        }
                    );

                    logger.Info($"\nApplicationLists:");
                    foreach (var applist in response.NetworkFirewallPolicy.ApplicationLists)
                    {
                        logger.Info("=============================");
                        logger.Info($"App Name: {applist.Key}");
                        foreach (var app in applist.Value)
                        {
                            if (app is UdpApplication)
                            {
                                var udpapp = (UdpApplication)app;
                                logger.Info($"Max Port: {udpapp.MaximumPort}");
                                logger.Info($"Min port: {udpapp.MinimumPort}");
                            }
                        }

                    }

                    logger.Info("\nIpAddressLists:" + string.Join(", ", response.NetworkFirewallPolicy.IpAddressLists.Select(pair => $"{pair.Key} => {string.Join(", ", pair.Value)}")));

                    logger.Info($"\nSecurityRules: ");
                    foreach (var securityRule in response.NetworkFirewallPolicy.SecurityRules)
                    {
                        logger.Info("=============================");
                        logger.Info($"Security Rule Name: {securityRule.Name}");
                        logger.Info($"Security Inspection: {securityRule.Inspection}");
                        logger.Info($"Security Action: {securityRule.Action}");
                    }

                    logger.Info($"\nURL List:");
                    foreach (var url in response.NetworkFirewallPolicy.UrlLists)
                    {
                        logger.Info("=============================");
                        logger.Info($"URL: {url.Key}");
                        foreach (var urlpat in url.Value)
                        {
                            var simplePattern = (SimpleUrlPattern)urlpat;
                            logger.Info($"Pattern: {simplePattern.Pattern}");
                            logger.Info($"Type: {simplePattern.GetType()}");
                        }

                    }

                }

[jbcintra]

@github-anurag
Hi, output from NLog attached, I also browsed the returned object in memory, still missing content

2022-09-29 17:20:58.1583||INFO|cintra_oci_extract_sdk_featuretests.TestOciNetworkFirewall|FW: Firewall-TEST
2022-09-29 17:20:58.1583||TRACE|Oci.Common.RegionalClientBase|Called getNetworkFirewallPolicy
2022-09-29 17:20:58.1583||DEBUG|Oci.Common.Converter|Adding path parameter networkFirewallPolicyId: ocid1.networkfirewallpolicy.oc1.phx.*****
2022-09-29 17:20:58.1804||DEBUG|Oci.Common.Http.RestClientHandler|Dumping HttpRequest:
Method: GET, RequestUri: 'https://network-firewall.us-phoenix-1.ocs.oraclecloud.com/20211001/networkFirewallPolicies/ocid1.networkfirewallpolicy.oc1.phx.', Version: 1.1, Content: , Headers:
{
Accept: application/json
User-Agent: Oracle-DotNetSDK/45.1.0
User-Agent: (Win32NT/10.0.19044.0; .NET 5.0.17)
Date: Thu, 29 Sep 2022 16:20:58 GMT
Host: network-firewall.us-phoenix-1.ocs.oraclecloud.com
Authorization: Signature version="1",headers="date (request-target) host",keyId="ocid1.tenancy.oc1../ocid1.user.oc1..*****/{fingerprint}",algorithm="rsa-sha256",signature="{signature}"
}
2022-09-29 17:20:58.6248||DEBUG|Oci.Common.Http.RestClient|Dumping HttpResponse:
StatusCode: 200, ReasonPhrase: 'OK', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
{
Date: Thu, 29 Sep 2022 16:20:59 GMT
opc-request-id: /5498376F42ED93D8E5BA5AA5A67FDC8B/A0B289C9FDA88977626BCD85C730DB4A
ETag: 1479e4fee79db0709bae47c3917893efcfa77d7a79ab1970c09b3b4575205756
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Content-Type: application/json
Content-Length: 3386
}
2022-09-29 17:20:58.6248||DEBUG|Oci.Common.RegionalClientBase|Total Latency for this API call is: 450 ms
2022-09-29 17:20:58.6248||DEBUG|Oci.Common.Converter|Setting property value from header etag
2022-09-29 17:20:58.6248||DEBUG|Oci.Common.Converter|Setting property value from header opc-request-id
2022-09-29 17:21:41.3928||INFO|cintra_oci_extract_sdk_featuretests.TestOciNetworkFirewall|Policy: Firewall_TEST_Policy_B
2022-09-29 17:21:41.3928||INFO|cintra_oci_extract_sdk_featuretests.TestOciNetworkFirewall|TestOciNetworkFirewall Ended

[jbcintra]

@github-anurag
Hi , just saw your answer appear as I posted my output ... I'll look to add that, so it specifically needs additional calls to get the data. Be good to get that into the online example, or notes on the API docs that extra calls are needed.

Will test now, thanks!

[github-anurag]

@jbcintra
The examples at GetNetworkFirewallPolicy are currently auto-generated and are just for helping with initial setup.

[jbcintra]

@github-anurag
Hi, I was able to replicate that and see the Url values in the object now. I realised, we'd spoken on a similar topic some time ago, issue 121, where for ObjectStorage, I had to call FieldsEnum method to tell it to enumerate properties & load them.

So the object has the values in it, I've just got to get the JsonConverter to handle them properly and output to file!

[jbcintra]

@github-anurag
Hi, I've solved it... I switched from System.Text.Json to Newtonsoft.Json.

Then changed the serialize code to Newtonsoft syntax.

The Newtonsoft SerializeObject command enumerates all of the dictionaries, populates and outputs them!!

Thanks for your help on this, it got me working in the right direction.

[github-anurag]

@jbcintra
Glad to know it got resolved. That is a good approach if we just want the JSON output.

Also for Object Storage issue 121: That was a decision made by the Service team to make calls efficient and only return the info when the fields were sent to them. That was an issue in all SDK/CLI

This issue is there because c# is strongly typed language so we need to convert it back to JSON string.

Providing the solution mentioned here for reference:-

using System;
using System.Threading.Tasks;
using Oci.Common.Auth;
using Oci.NetworkfirewallService;
using Oci.NetworkfirewallService.Requests;
using Newtonsoft.Json;

namespace Oci.Examples
{
    public class NetworkfirewallExample
    {
        private static NLog.Logger logger = NLog.LogManager.GetCurrentClassLogger();

        public static async Task Main()
        {
            logger.Info("Starting example");
            NetworkFirewallClient client = null;

            try
            {
                var policyId = "POLICY-ID-OCID";
                var provider = new ConfigFileAuthenticationDetailsProvider("DEFAULT");
                using (client = new NetworkFirewallClient(provider))
                {
                    var response = await client.GetNetworkFirewallPolicy(
                        new GetNetworkFirewallPolicyRequest
                        {
                            NetworkFirewallPolicyId = policyId
                        }
                    );

                    string json = JsonConvert.SerializeObject(response, Formatting.Indented);
                    logger.Info($"\nOutput:-");
                    logger.Info(json);

                }
            }
            catch (Exception e)
            {
                logger.Error($"Failed NetworkfirewallExample: {e.Message}");
            }
        }
    }
}