Have a look through the httpd log file for any suggestions on the cause of the issue.
Also, try performing the same API call via the NetConf XML interface and see if the Call is processed. This will help isolate/find the issue.
Gav
Original Message:
Sent: 01-31-2023 04:33
From: sgala
Subject: REST api on SRX 300 does not work
I did some tests today and each request I execute the REST api respond with a 500 internal server error...;(
Tried to enable traceoption all on rest service but after enabling it the port 8080 is closed with conn refused...
I think that the universe does not want that I use REST API;(
Am I the alone with that issue? probably is the 21.2R3-S2.9 with some bugs, but on PR there are no known open bugs ...;(
M
------------------------------
Matteo Sgalaberni
Original Message:
Sent: 01-14-2023 06:39
From: sgala
Subject: REST api on SRX 300 does not work
Hi Gavin! thanks! The trick works well!! ;)
Thanks!
Matteo
------------------------------
Matteo Sgalaberni
Original Message:
Sent: 01-13-2023 21:07
From: GAVIN WHITE
Subject: REST api on SRX 300 does not work
Hi Matteo,
I hope you are doing well?
I have been able to perform some testing in my lab and came to the following conclusions...
Configuring a custom port on any SRX and EX Series device for the REST API sets the listening port for lighttpd service to the specified port.
EX Switches do not have these zone/interface filters and the REST API Works as expected. SRX Devices filter Zone traffic through host-inbound-traffic configuration and there is limited flexibility to what protocols and system services (ports) can be opened.
TCP Port 3000 is not available as one of the system service ports and so I would recommend using a port for the REST API that is listed under the host-inbound-traffic system-services configuration branch. For Example: 'webapi-clear-text' (TCP 8080) and 'webapi-ssl' (TCP 8443) can be used for this scenario. See the config example below...
system { services { rest { http { port 8080; addresses 10.1.7.254; } control { allowed-sources [ 10.1.7.8 10.1.7.31 ]; } enable-explorer; } }}security { zones { security-zone trust { host-inbound-traffic { system-services { ssh; webapi-clear-text; ... } protocols { ospf; ... } } } }}
Understandably 8080 is a common port so make sure to lock it down as specific as possible, allowing only in the zones required and using the `allowed-sources` config option for the rest-api etc
Kind regards,
Gavin White
------------------------------
GAVIN WHITE
Original Message:
Sent: 01-02-2023 17:44
From: GAVIN WHITE
Subject: REST api on SRX 300 does not work
Hi Matteo,
My understanding is that the REST config stanza should open the required ports on the listening IP.
I will have to do some tests to verify this in the lab once I'm back next week. In a working environment [20.2R3], I have the following Zone configuration...
security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } }
Some things to check in your configuration that could still block access would be...
1. Any Firewall Filters configured on the Loopback, limiting RE traffic.
2. Any Security policy configured to the Junos-Host Zone. By default (not configured), this will allow all and only host-inbound-traffic is checked.
Regards,
------------------------------
GAVIN WHITE
Original Message:
Sent: 01-02-2023 04:45
From: Matteo Sgalaberni
Subject: REST api on SRX 300 does not work
Hi! thanks for your reply! here my conf:sgala@# show system services rest
http {
port 3001;
addresses 172.16.60.1;
}
enable-explorer;
I did further test...seems an issue with the security policy
host-inbound-traffic system-services all is not sufficient.
with host-inbound-traffic system-services any-service the port 3001 is reacheable!!
But I don't want to open all ports... probably the rest service is not fired by any default system-services! I can't find any info about it...
Do you have an idea how to open that service correctly without opening all ports?
thanks
Matteo
------------------------------
Matteo Sgalaberni
Original Message:
Sent: 12-30-2022 16:28
From: GAVIN WHITE
Subject: REST api on SRX 300 does not work
Hello,
Looking through the article that you provided, it does not mention the use of the 'address' stanza for the REST API configuration.
set system services rest http addresses [203.0.113.0 203.0.113.1]
This command instructs the device to enable listening on the specified IPs.
Also, if you are looking to use this for experimenting I highly recommend enabling the API Explorer...
set system services rest enable-explorer
Kind Regards,
Gavin White
------------------------------
GAVIN WHITE
Original Message:
Sent: 12-28-2022 08:42
From: Matteo Sgalaberni
Subject: REST api on SRX 300 does not work
Hello, I'm trying to use the REST API on a SRX 300.
I followed the official documentation and also this simple howto Working with REST API on Junos OS
The source IP from I try to connect is in a security zone with host-inbound-traffic system-services all enabled.
What do you suggest me to check? thanks!
------------------------------
MATTEO SGALABERNI
------------------------------