Jump to content


Photo

Creating ACLs via Rest API

Started by David Gomez , 20 April 2017 - 10:18 PM
1 reply to this topic

David Gomez Members

David Gomez
  • 11 posts

Posted 20 April 2017 - 10:18 PM

I'm trying to create a test ACL using Python:

 Here is my code:

def login():
    url = 'http://netscalerip.prod/nitro/v1/config/login
    headers = {'Content-Type': 'application/vnd.com.citrix.netscaler.login+json'}
    payload = {"login": {"username": "nsroot", "password": "nsroot", "timeout": 900}}
    r = requests.post(url, headers=headers, json=payload)
    nitro_auth = r.headers['Set-Cookie'].split()[9]

    global nitro_auth

 

 

def create_acl():
    url = 'http://netscalerip.com/nitro/v1/config/nsacl?action=add'
    headers = {'Cookie': nitro_auth, 'Content-Type': 'application/vnd.com.citrix.netscaler.nsacl+json'}
    payload = {"nsacl": {"aclname": "ACL-INET-ALLOW-test2", "aclaction": "ALLOW", "protocol": "TCP", "protocolnumber": "6","destportval": "8111","srcipval": "24.191.209.63", "destipval": "24.191.209.63", "vlan": "10","priority": "22000"}}

 

    r = requests.put(url, headers=headers, json=payload)
    print r.json()

 

login()

create_acl()

 

I get the following error from the API

{u'errorcode': 1093, u'message': u'Argument pre-requisite missing [srcIPVal, srcIP]', u'severity': u'ERROR'}

 

The srcIPVal is in there and base on the Doc srcIP is a Boolean, but I try Yes,YES, TRUE,True and nothing work



Esther Barthel CTP Member

Esther Barthel
  • 6 posts

Posted 21 April 2017 - 08:17 AM

Hi David,

 

I think the documentation is not correct regarding the formatting for srcip and srcipval as the Request payload for a POST states them to be string values. As shown in the NITRO API reference (https://docs.citrix.com/en-us/netscaler/11-1/nitro-api/nitro-rest/api-reference/configuration/ns/nsacl.html#add).

 

I also noticed that you use the same IP-address for oth source and destination, which might create a conflict as well.

 

Can you try an payload with srcip and destip instead of srcipval and destipval and give both of them different IP-addresses? Just to test if that will push the ACL to your NetScaler?

 

Unfortunately I won't be able to help out more and check the right config in my lab till I get home, but I'll do some testing tonight.

 

Cheers,

Esther