Junos OS

Expand all | Collapse all

Is there an API to automate the blocking of IPs?

Jump to Best Answer
  • 1.  Is there an API to automate the blocking of IPs?

    Posted 01-05-2018 09:25

    We have two Juniper MX480s and they are on JunOS 14.1R8.6 .

     

    Is there an API available to call to automate the blocking of IPs? 

     

    What I'd like to do is have a search that runs on Splunk that looks for x amount of events from an attacking IP within a certain period of time (say 50 events within one minute from the same IP), and then if the search threshold is triggered, then have Splunk make an API call to JunOS with a list of IPs to block for a 24 hour time period.

     

    Thx


    #Block
    #splunk
    #Automate
    #API
    #attack


  • 2.  RE: Is there an API to automate the blocking of IPs?
    Best Answer

     
    Posted 01-05-2018 10:20

    Hi Folks,

    These are few ways to initiate a API call to the Junos,

     

    POSTMAN Client: [Working]

    http://lab:1Matrix@10.219.38.21:8080/rpc/get-system-information

    http://lab:1Matrix@10.219.38.21:8080/rpc/get-configuration

    http://lab:1Matrix@10.219.38.21:8080/rpc/get-interface-information

     

    Curl Client: Working

    curl 1Matrix@10.219.38.21:8080/rpc">http://lab:1Matrix@10.219.38.21:8080/rpc -D curl.out --header "Accept: text/plain" -d "<get-interface-information><detail/><interface-name>lo0</interface-name></get-interface-information>"

     

    curl 1Matrix@10.219.38.21:8080/rpc">http://lab:1Matrix@10.219.38.21:8080/rpc -D curl.out --header "Accept: text/plain" -d "<get-interface-information><terse/><interface-name>lo0</interface-name></get-interface-information>"

     

    curl 1Matrix@10.219.38.21:8080/rpc">http://lab:1Matrix@10.219.38.21:8080/rpc -D curl.out --header "Accept: text/plain" -d "<get-configuration><configuration><interfaces><interface><name>lo0</name></interface></interfaces></configuration></get-configuration>"

     

    To enable API:

    set system services rest http port 5000 <<<<< 3000 is the default port if not specified exclusively

    set system services rest http

    set system services rest traceoptions flag all

    set system services rest enable-explorer

     

    REMOTE TRIGGERED BLACK HOLE FILTERING (RTBH) is one of the way to achieve the requirement listed by you.

     

    Apply a bgp export polices to all your routers, which could set the next-hop of a given prefix pointing to your discard routes. Your API call should manipulate the discard route and you can define policies with pre-define bgp extended communities. Which can be configured in the rest of the network such as such as rfc3882 and rfc6666.

     

     

     



  • 3.  RE: Is there an API to automate the blocking of IPs?

    Posted 01-05-2018 10:29

    Thx for the reply and info!