Page 2 of 2
Re: Cannot make plugin to work.
Posted: Fri Apr 01, 2022 2:07 pm
by Cubert
The Automate system is looking at the location that the firewall was listed in. It then uses an agent (looking for the newest OS types) and runs several Powershell scripts in the PFSense script that comes with plugin. This script tells agent to make https requests to the end firewall on its "LAN" segment to the API using the account permissions you set. The API returns JSON data the we convert in to SQL and save in the database.
So the very first things to test is:
One is the firewall on the LAN side same network as agent running script?
Can you from that agent open the Firewall Web Config on port :443 using SSL?
Can you touch the API (Change $hostname, $myUser and $mypass to the correct values for this firewall)
https://$hostname/api/v1/firewall/alias?client-id=$MyUser&client-token=$MyPass
Did it return any data or an error?
If your credentials worked in the above https request then try script in debug mode.
When you select debug mode it will ask for an agent to run on, select agent in same location/network then in the MYCMD area of the selection box to execute script, use "SCAN" so that it triggers the Then section of our script.
The script will attempt to collect all the data about that firewall.
You will find script in the
scripts -> maintenance -> pfSense Manager Maintenance
Re: Cannot make plugin to work.
Posted: Mon Apr 11, 2022 4:09 pm
by Dawid_FS
Hello,
I cheked it and here is reply to questions :
One is the firewall on the LAN side same network as agent running script?
YES
Can you from that agent open the Firewall Web Config on port :443 using SSL?
YES
Can you touch the API (Change $hostname, $myUser and $mypass to the correct values for this firewall)
https://$hostname/api/v1/firewall/alias?client-id=$MyUser&client-token=$MyPass
Did it return any data or an error?
Code: Select all
{"status":"unauthorized","code":401,"return":3,"message":"Authentication failed","data":[]}
I was trying different users with admin privileges and even on fresh pfsense instance, there is always the same error.
Please Advise.
Re: Cannot make plugin to work.
Posted: Mon Apr 11, 2022 7:51 pm
by Cubert
By default, pfSense API uses the same credentials as the webConfigurator. This behavior allows you to configure pfSense from the API out of the box, and user passwords may be changed from the API to immediately add additional security if needed.
After installation, you can navigate to System > API in the pfSense webConfigurator to configure API authentication. Please note that external authentication servers like LDAP or RADIUS are not supported with any API authentication method at this time.
To authenticate your API call, follow the instructions for your configured authentication mode:
Local Database (default)
Uses the same credentials as the pfSense webConfigurator. To authenticate API calls, simply add a client-id value containing your username and a client-token value containing your password to your payload.
This is the official how-to from the API documentation.
You need to validate the API setups as described here then using the URL I provided above in a browser keep testing until you get a proper status returned.
Auth errors say you have either a bad user name or pass with API access. Until you able to get a functional API with local direct access from browser the plugin will not be able to probe PFSense device.
Re: Cannot make plugin to work.
Posted: Mon Apr 11, 2022 7:52 pm
by Cubert
Also here is the office forum and support docs for the new PFSense plugin.
viewforum.php?f=79
It has all the ho-tos in it
Re: Cannot make plugin to work.
Posted: Thu Apr 14, 2022 8:02 pm
by Dawid_FS
Hello,
I was able to make API work using a link, looks like it's not working with the default user on pfsense. Once I create a new user it start working without any problem.
When I add a firewall to the plugin and enable scan - nothing is happening.
When I tried to run a script on an agent in the same location this is what I get :
The Script(6171) failed in the Else section at step 4. The reason:
Script: S6171 - Starting at Server Time: Thursday, April 14, 2022 1:36:59 PM
IF F5 ValueOne (P1): MYCMD Comparer (P2): 8 ValueTwo (P3): SCAN T: 0.2918057
L2 F70 Value (P1): MYFIREWALL Comparer (P2): 0 To (P3): Jump (P4): :WEHAVEFIREWALL T: 0.2928028
L3 F29 Message (P1): No Firewall provided. Exiting script T: 0.2928028
L4 F215 T: 0.2928028
Please Advise.
EDIT :
Plugin started working after the last changes I made with a new user. It take some time to work.