Beginner API firewall rules Authentication error

Hi, newbie here!

I’m trying to edit my firewall rules using the API but got stuck even after reading the documentation.

I’ve understood how to list the current rules that I made via the web interface, delete a rule made via the web interface, but I can’t work out how to created or edit one.

Always get “Authentication error” even when using the same Auth-key that works for list and delete.

Things that work:

Listing rules for a zone:

curl -X GET “https://api.cloudflare.com/client/v4/zones//firewall/rules” -H “X-Auth-Email: EMAIL” -H “X-Auth-Key: GLOBALKEY” -H “Content-Type: application/json”

Listing details of a particular rule using the rule ID found from the list:

curl -X GET “https://api.cloudflare.com/client/v4/zones//firewall/rules/RULEID” -H “X-Auth-Email: EMAIL” -H “X-Auth-Key: GLOBALKEY” -H “Content-Type: application/json”

Deleting the particular rule:

curl -X DELETE “https://api.cloudflare.com/client/v4/zones//firewall/rules/RULEID” -H “X-Auth-Email: EMAIL” -H “X-Auth-Key: GLOBALKEY” -H “Content-Type: application/json” --data ‘{}’

What does not work:

Creating a new rule after deleting it. I’m trying delete because update didn’t work. The rule is direct from the documentation example. I can’t see how I should generate a ID for the new rule or filter so I’m using the same values as the previously deleted ones. Trying random numbers for the new rule id and filter id also doesn’t work.

curl -X POST “https://api.cloudflare.com/client/v4/zones//firewall/rules” -H “X-Auth-Email: EMAIL” -H “X-Auth-Key: GLOBALKEY” -H “Content-Type: application/json” --data ‘[{“id”:“RULEID”,“action”:“block”,“products”:[“waf”],“priority”:50,“paused”:false,“description”:“Blocks traffic identified during investigation for MIR-31”,“ref”:“MIR-31”,“filter”:{“id”:“FILTERID”,“expression”:"(http.request.uri.path ~ “.*wp-login.php” or http.request.uri.path ~ “.*xmlrpc.php”) and ip.addr ne 172.16.22.155",“paused”:false,“description”:“Restrict access from these browsers on this address range.”,“ref”:“FIL-100”}}]’

Reply:

{“success”:false,“errors”:[{“code”:10000,“message”:“Authentication error”}]}

Actually I only need to update a filter but can’t make that work so trying to delete and create the whole rule to ensure I have a consistent set, but always “Authentication error”

Obviously I’m misunderstanding something here. Any suggestions on where I should go to learn more or how to troubleshoot this?

Thanks.

The API documentation seems to be wrong here. Surely you cannot provide ID for a rule you are creating, as IDs are assigned by the API itself.

Also, I kept getting an error when POSTing with the “products” parameters, because that’s to be used only to specify which product(s) to bypass, so it’s only needed in case the rule’s action is set to “bypass”.

But I did manage to create a rule after removing both ID and products from the request. See if that works for you, while I forward this issue to staff so that the documentation is reviewed.

1 Like

Thank you, yes that fixed it. After trimming down the request to the essentials it works.

Following this tip I’ve also been able to make the other calls I want to use, such as PUT to update, work as expected.

I appreciate the assistance. Now onwards to wrap my working commands in some logic! :slight_smile:

2 Likes

Actually, it seems a firewall rule consists of 2 parts ruleid and a filter id. The filter id can actually be created beforehand and reused I think. See https://developers.cloudflare.com/firewall/api/cf-filters/post/. So rule id isn’t needed but filter id can be optional - if you already created or intend to reuse an existing created filter id expression.

from https://developers.cloudflare.com/firewall/api/cf-firewall-rules/post/

To create a Firewall Rule you need a filter identifier ( id ). If you have not created a filter yet, refer to the Cloudflare Filters API documentation .

Create Cloudflare Filter

filter.json contents

[
  {
    "paused": false,
    "expression": "(http.request.uri.path eq \"/private4/\")"
  }
]
./cf-firewall-api.sh filter-create filter.json

{
  "result": [
    {
      "id": "ddb39e0a60a7457e8e08eb98d1c119a4",
      "paused": false,
      "expression": "(http.request.uri.path eq \"/private4/\")"
    }
  ],
  "success": true,
  "errors": [],
  "messages": []
}

and create Firewall rule using pre-created filter id = ddb39e0a60a7457e8e08eb98d1c119a4

cat cfrule.json
[{
  "paused": true,
  "description": "Example CF Firewall API Rule with pre-created Filter id",
  "action": "block",
  "priority": 1,
  "filter": {
    "id": "ddb39e0a60a7457e8e08eb98d1c119a4",
    "paused": false
  }
}]

./cf-firewall-api.sh rule-create cfrule.json
{
  "result": [
    {
      "id": "26e2857bf89748549b9d58e90b39b87e",
      "paused": true,
      "description": "Example CF Firewall API Rule with pre-created Filter id",
      "action": "block",
      "priority": 1,
      "filter": {
        "id": "ddb39e0a60a7457e8e08eb98d1c119a4",
        "expression": "(http.request.uri.path eq \"/private4/\")",
        "paused": false
      },
      "created_on": "2022-03-06T01:17:37Z",
      "modified_on": "2022-03-06T01:17:37Z",
      "index": 2
    }
  ],
  "success": true,
  "errors": [],
  "messages": []
}

But yes API docs need to clarify this better as it’s part documented in API docs and other half is in developer docs.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.