Create WCF Agent

Create WCF Agent

curl --request POST \
  --url https://app.onefirewall.com/api/v1/agents \
  --header 'Content-Type: application/json' \
  --data '
{
  "gaid": "OFA-AGENT-ID-6QMRfdQp3G0Skkkkkkkk",
  "ts": 1753828861732,
  "score_threshold": 150,
  "start_from": 0,
  "version": "v4.60.4",
  "proxy": "CLOUD",
  "sync_time": 1,
  "maximum_rules": 99999998,
  "api_url": "http://127.0.0.1:8081/api/v1/ipv4",
  "api_url_bulk": "http://127.0.0.1:8081/api/v2/ips",
  "api_url_feedback": "http://127.0.0.1:8081/api/v1/feedback",
  "auth_name": "Authorization",
  "api_jwt_key": "<string>",
  "ids": {
    "iptables": {
      "active": true
    },
    "ebtables": {
      "active": true
    },
    "pflist": {
      "active": true
    },
    "modsec": {
      "active": true,
      "modsec_logs": "/var/log/apache2/modsec_audit.log"
    },
    "cloudflare": {
      "active": true,
      "cloudflare_x_auth_email": "<string>",
      "cloudflare_x_auth_key": "<string>"
    },
    "luna": {
      "active": true,
      "json": [
        "<unknown>"
      ]
    },
    "sshlog": {
      "active": true,
      "ssh_log_location": "/var/log/auth.log"
    }
  },
  "ips": {
    "httpd": {
      "active": true,
      "command": "cp blacklist_onefirewall.txt httpd/blacklist.txt"
    },
    "iptables": {
      "active": true,
      "acl": "/opt/onefirewall/acl/ipset.txt",
      "reload_command": "sudo ipset flush blacklist && sudo ipset restore < /opt/onefirewall/acl/ipset.txt"
    },
    "checkpoint": {
      "active": true,
      "username": "admin",
      "password": "<string>",
      "address": "https://10.47.2.48",
      "group": "OneFirewall_IPS",
      "policy": "standard",
      "domain": "Test_domain_Server",
      "gateways": "Test_gw"
    },
    "checkpoint_securexl": {
      "active": true,
      "connections": "[email protected]",
      "password": "admin1",
      "command": "bash artifacts/checkpoint/install-securexl.sh",
      "vsids": "1,2"
    },
    "fortigate": {
      "active": true,
      "connections": "[email protected]",
      "password": "admin1",
      "command": "bash artifacts/fortigate/install-fortigate-url-feed.sh",
      "feeds": "/api/v1/feeds",
      "updates": "5"
    },
    "csp": {
      "active": true,
      "connections": "[email protected]",
      "password": "admin1",
      "command": "bash artifacts/csp.sh",
      "feeds": "onefirewall.txt",
      "updates": "5"
    },
    "ebtables": {
      "active": true
    },
    "pflist": {
      "active": true,
      "ofa_ips_txt": "/opt/apps/onefirewall-cloud-client/ofa-ips.txt",
      "pflist_reload_command": "sudo pfctl -f /etc/pf.conf;"
    },
    "modsec": {
      "active": true,
      "ruleset": "/usr/share/modsecurity-crs/rules/onefirewall_rules.conf",
      "modsec_reload_command": "sudo apachectl -k graceful;"
    },
    "cloudflare": {
      "active": true,
      "cloudflare_x_auth_email": "<string>",
      "cloudflare_x_auth_key": "<string>"
    },
    "cisco": {
      "active": true,
      "cisco_host": "<string>",
      "cisco_user": "<string>",
      "cisco_password": "<string>"
    },
    "haproxy": {
      "active": true,
      "haproxy_logs": "/opt/onefirewall/acl/haproxy.txt",
      "haproxy_reload_command": "sudo service haproxy reload"
    },
    "csv": {
      "active": true,
      "csv_logs": "/opt/onefirewall/feeds.csv",
      "csv_reload_command": "wc /opt/onefirewall/feeds.csv"
    },
    "aws": {
      "active": true,
      "accessKeyId": "<string>",
      "secretAccessKey": "<string>",
      "region": "<string>"
    },
    "sophos": {
      "active": true,
      "user": "<string>",
      "password": "<string>",
      "address": "<string>",
      "command": "bash artifacts/sophos/update_blacklist_sophos.sh"
    },
    "trellix": {
      "active": true,
      "username": "<string>",
      "password": "<string>",
      "api": "<string>",
      "fileslist_file": "<string>",
      "broker_ca_bundle": "<string>",
      "cert_file": "<string>",
      "private_key": "<string>"
    },
    "infoblox": {
      "active": true,
      "username": "<string>",
      "password": "<string>",
      "api": "<string>",
      "group": "<string>",
      "policy": "<string>",
      "action": "<string>",
      "view": "<string>",
      "domains_file": "<string>",
      "domains_file_whitelist": "<string>",
      "api_whitelist_url": "<string>"
    },
    "forcepoint": {
      "active": true,
      "username": "<string>",
      "password": "<string>",
      "api": "<string>",
      "group": "<string>",
      "policy": "<string>",
      "action": "<string>",
      "parent": "<string>",
      "urls_file": "<string>"
    }
  }
}
'

{
  "success": true,
  "message": "WCF Agent created successfully",
  "agent_id": "OFA-AGENT-ID-6QMRfdQp3G0Skkkkkkkk"
}

POST

agents

Create WCF Agent

curl --request POST \
  --url https://app.onefirewall.com/api/v1/agents \
  --header 'Content-Type: application/json' \
  --data '
{
  "gaid": "OFA-AGENT-ID-6QMRfdQp3G0Skkkkkkkk",
  "ts": 1753828861732,
  "score_threshold": 150,
  "start_from": 0,
  "version": "v4.60.4",
  "proxy": "CLOUD",
  "sync_time": 1,
  "maximum_rules": 99999998,
  "api_url": "http://127.0.0.1:8081/api/v1/ipv4",
  "api_url_bulk": "http://127.0.0.1:8081/api/v2/ips",
  "api_url_feedback": "http://127.0.0.1:8081/api/v1/feedback",
  "auth_name": "Authorization",
  "api_jwt_key": "<string>",
  "ids": {
    "iptables": {
      "active": true
    },
    "ebtables": {
      "active": true
    },
    "pflist": {
      "active": true
    },
    "modsec": {
      "active": true,
      "modsec_logs": "/var/log/apache2/modsec_audit.log"
    },
    "cloudflare": {
      "active": true,
      "cloudflare_x_auth_email": "<string>",
      "cloudflare_x_auth_key": "<string>"
    },
    "luna": {
      "active": true,
      "json": [
        "<unknown>"
      ]
    },
    "sshlog": {
      "active": true,
      "ssh_log_location": "/var/log/auth.log"
    }
  },
  "ips": {
    "httpd": {
      "active": true,
      "command": "cp blacklist_onefirewall.txt httpd/blacklist.txt"
    },
    "iptables": {
      "active": true,
      "acl": "/opt/onefirewall/acl/ipset.txt",
      "reload_command": "sudo ipset flush blacklist && sudo ipset restore < /opt/onefirewall/acl/ipset.txt"
    },
    "checkpoint": {
      "active": true,
      "username": "admin",
      "password": "<string>",
      "address": "https://10.47.2.48",
      "group": "OneFirewall_IPS",
      "policy": "standard",
      "domain": "Test_domain_Server",
      "gateways": "Test_gw"
    },
    "checkpoint_securexl": {
      "active": true,
      "connections": "[email protected]",
      "password": "admin1",
      "command": "bash artifacts/checkpoint/install-securexl.sh",
      "vsids": "1,2"
    },
    "fortigate": {
      "active": true,
      "connections": "[email protected]",
      "password": "admin1",
      "command": "bash artifacts/fortigate/install-fortigate-url-feed.sh",
      "feeds": "/api/v1/feeds",
      "updates": "5"
    },
    "csp": {
      "active": true,
      "connections": "[email protected]",
      "password": "admin1",
      "command": "bash artifacts/csp.sh",
      "feeds": "onefirewall.txt",
      "updates": "5"
    },
    "ebtables": {
      "active": true
    },
    "pflist": {
      "active": true,
      "ofa_ips_txt": "/opt/apps/onefirewall-cloud-client/ofa-ips.txt",
      "pflist_reload_command": "sudo pfctl -f /etc/pf.conf;"
    },
    "modsec": {
      "active": true,
      "ruleset": "/usr/share/modsecurity-crs/rules/onefirewall_rules.conf",
      "modsec_reload_command": "sudo apachectl -k graceful;"
    },
    "cloudflare": {
      "active": true,
      "cloudflare_x_auth_email": "<string>",
      "cloudflare_x_auth_key": "<string>"
    },
    "cisco": {
      "active": true,
      "cisco_host": "<string>",
      "cisco_user": "<string>",
      "cisco_password": "<string>"
    },
    "haproxy": {
      "active": true,
      "haproxy_logs": "/opt/onefirewall/acl/haproxy.txt",
      "haproxy_reload_command": "sudo service haproxy reload"
    },
    "csv": {
      "active": true,
      "csv_logs": "/opt/onefirewall/feeds.csv",
      "csv_reload_command": "wc /opt/onefirewall/feeds.csv"
    },
    "aws": {
      "active": true,
      "accessKeyId": "<string>",
      "secretAccessKey": "<string>",
      "region": "<string>"
    },
    "sophos": {
      "active": true,
      "user": "<string>",
      "password": "<string>",
      "address": "<string>",
      "command": "bash artifacts/sophos/update_blacklist_sophos.sh"
    },
    "trellix": {
      "active": true,
      "username": "<string>",
      "password": "<string>",
      "api": "<string>",
      "fileslist_file": "<string>",
      "broker_ca_bundle": "<string>",
      "cert_file": "<string>",
      "private_key": "<string>"
    },
    "infoblox": {
      "active": true,
      "username": "<string>",
      "password": "<string>",
      "api": "<string>",
      "group": "<string>",
      "policy": "<string>",
      "action": "<string>",
      "view": "<string>",
      "domains_file": "<string>",
      "domains_file_whitelist": "<string>",
      "api_whitelist_url": "<string>"
    },
    "forcepoint": {
      "active": true,
      "username": "<string>",
      "password": "<string>",
      "api": "<string>",
      "group": "<string>",
      "policy": "<string>",
      "action": "<string>",
      "parent": "<string>",
      "urls_file": "<string>"
    }
  }
}
'

{
  "success": true,
  "message": "WCF Agent created successfully",
  "agent_id": "OFA-AGENT-ID-6QMRfdQp3G0Skkkkkkkk"
}

Body

application/json

gaid

string

required

Global Agent ID - unique identifier for the agent starting with OFA-AGENT-ID- followed by a unique string of alphanumeric characters. Later on used used as agid

Example:

"OFA-AGENT-ID-6QMRfdQp3G0Skkkkkkkk"

integer<int64>

required

Timestamp in milliseconds

Example:

1753828861732

score_threshold

integer

required

Minimum threat score threshold for triggering actions

Required range: 0 <= x <= 1000

Example:

150

start_from

integer

required

Starting index for processing

Required range: x >= 0

Example:

0

version

string

required

Agent version

Example:

"v4.60.4"

proxy

enum<string>

required

Proxy mode configuration

Available options:

CLOUD,

LOCAL

Example:

"CLOUD"

sync_time

integer

required

Synchronization interval in minutes

Required range: x >= 1

Example:

1

maximum_rules

integer

required

Maximum number of rules to process

Example:

99999998

api_url

string<uri>

Primary API endpoint for IPv4 operations

Example:

"http://127.0.0.1:8081/api/v1/ipv4"

api_url_bulk

string<uri>

Bulk API endpoint for IP operations

Example:

"http://127.0.0.1:8081/api/v2/ips"

api_url_feedback

string<uri>

Feedback API endpoint

Example:

"http://127.0.0.1:8081/api/v1/feedback"

auth_name

string

Authentication header name

Example:

"Authorization"

api_jwt_key

string | null

JWT key for API authentication

ids

object

Configuration for various Intrusion Detection Systems

Show child attributes

ids.iptables

object

Show child attributes

ids.iptables.active

boolean

ids.ebtables

object

Show child attributes

ids.ebtables.active

boolean

ids.pflist

object

Show child attributes

ids.pflist.active

boolean

ids.modsec

object

Show child attributes

ids.modsec.active

boolean

ids.modsec.modsec_logs

string

Path to ModSecurity audit logs

Example:

"/var/log/apache2/modsec_audit.log"

ids.cloudflare

object

Show child attributes

ids.cloudflare.active

boolean

ids.cloudflare.cloudflare_x_auth_email

string

Cloudflare authentication email

ids.cloudflare.cloudflare_x_auth_key

string

Cloudflare authentication key

ids.luna

object

Show child attributes

ids.luna.active

boolean

ids.luna.json

any[]

Luna configuration JSON array

ids.sshlog

object

Show child attributes

ids.sshlog.active

boolean

ids.sshlog.ssh_log_location

string

Path to SSH log files

Example:

"/var/log/auth.log"

ips

object

Configuration for various IP Protection Systems

Show child attributes

ips.httpd

object

Show child attributes

ips.httpd.active

boolean

ips.httpd.command

string

Command to execute for HTTP daemon blacklist updates

Example:

"cp blacklist_onefirewall.txt httpd/blacklist.txt"

ips.iptables

object

Show child attributes

ips.iptables.active

boolean

ips.iptables.acl

string

Path to ACL file

Example:

"/opt/onefirewall/acl/ipset.txt"

ips.iptables.reload_command

string

Command to reload iptables rules

Example:

"sudo ipset flush blacklist && sudo ipset restore < /opt/onefirewall/acl/ipset.txt"

ips.checkpoint

object

Show child attributes

ips.checkpoint.active

boolean

ips.checkpoint.username

string

Checkpoint username

Example:

"admin"

ips.checkpoint.password

string

Checkpoint password

ips.checkpoint.address

string<uri>

Checkpoint management server address

Example:

"https://10.47.2.48"

ips.checkpoint.group

string

Checkpoint security group

Example:

"OneFirewall_IPS"

ips.checkpoint.policy

string

Security policy name

Example:

"standard"

ips.checkpoint.domain

string

Checkpoint domain

Example:

"Test_domain_Server"

ips.checkpoint.gateways

string

Gateway configuration

Example:

"Test_gw"

ips.checkpoint_securexl

object

Show child attributes

ips.checkpoint_securexl.active

boolean

ips.checkpoint_securexl.connections

string

SSH connection string

Example:

"[email protected]"

ips.checkpoint_securexl.password

string

Connection password

Example:

"admin1"

ips.checkpoint_securexl.command

string

Command to execute remotely

Example:

"bash artifacts/checkpoint/install-securexl.sh"

ips.checkpoint_securexl.vsids

string

Virtual system IDs

Example:

"1,2"

ips.fortigate

object

Show child attributes

ips.fortigate.active

boolean

ips.fortigate.connections

string

SSH connection string

Example:

"[email protected]"

ips.fortigate.password

string

Connection password

Example:

"admin1"

ips.fortigate.command

string

Command to execute

Example:

"bash artifacts/fortigate/install-fortigate-url-feed.sh"

ips.fortigate.feeds

string

Feed endpoint

Example:

"/api/v1/feeds"

ips.fortigate.updates

string

Update interval

Example:

"5"

ips.csp

object

Show child attributes

ips.csp.active

boolean

ips.csp.connections

string

SSH connection string

Example:

"[email protected]"

ips.csp.password

string

Connection password

Example:

"admin1"

ips.csp.command

string

Command to execute

Example:

"bash artifacts/csp.sh"

ips.csp.feeds

string

Feed file name

Example:

"onefirewall.txt"

ips.csp.updates

string

Update interval

Example:

"5"

ips.ebtables

object

Show child attributes

ips.ebtables.active

boolean

ips.pflist

object

Show child attributes

ips.pflist.active

boolean

ips.pflist.ofa_ips_txt

string

Path to OneFirewall IPs text file

Example:

"/opt/apps/onefirewall-cloud-client/ofa-ips.txt"

ips.pflist.pflist_reload_command

string

Command to reload PF configuration

Example:

"sudo pfctl -f /etc/pf.conf;"

ips.modsec

object

Show child attributes

ips.modsec.active

boolean

ips.modsec.ruleset

string

Path to ModSecurity ruleset

Example:

"/usr/share/modsecurity-crs/rules/onefirewall_rules.conf"

ips.modsec.modsec_reload_command

string

Command to reload ModSecurity

Example:

"sudo apachectl -k graceful;"

ips.cloudflare

object

Show child attributes

ips.cloudflare.active

boolean

ips.cloudflare.cloudflare_x_auth_email

string

Cloudflare authentication email

ips.cloudflare.cloudflare_x_auth_key

string

Cloudflare authentication key

ips.cisco

object

Show child attributes

ips.cisco.active

boolean

ips.cisco.cisco_host

string

Cisco device hostname or IP

ips.cisco.cisco_user

string

Cisco device username

ips.cisco.cisco_password

string

Cisco device password

ips.haproxy

object

Show child attributes

ips.haproxy.active

boolean

ips.haproxy.haproxy_logs

string

Path to HAProxy logs

Example:

"/opt/onefirewall/acl/haproxy.txt"

ips.haproxy.haproxy_reload_command

string

Command to reload HAProxy

Example:

"sudo service haproxy reload"

ips.csv

object

Show child attributes

ips.csv.active

boolean

ips.csv.csv_logs

string

Path to CSV logs

Example:

"/opt/onefirewall/feeds.csv"

ips.csv.csv_reload_command

string

Command to process CSV

Example:

"wc /opt/onefirewall/feeds.csv"

ips.aws

object

Show child attributes

ips.aws.active

boolean

ips.aws.accessKeyId

string

AWS Access Key ID

ips.aws.secretAccessKey

string

AWS Secret Access Key

ips.aws.region

string

AWS region

ips.sophos

object

Show child attributes

ips.sophos.active

boolean

ips.sophos.user

string

Sophos username

ips.sophos.password

string

Sophos password

ips.sophos.address

string

Sophos device address

ips.sophos.command

string

Command to execute

Example:

"bash artifacts/sophos/update_blacklist_sophos.sh"

ips.trellix

object

Show child attributes

ips.trellix.active

boolean

ips.trellix.username

string

Trellix username

ips.trellix.password

string

Trellix password

ips.trellix.api

string

Trellix API endpoint

ips.trellix.fileslist_file

string

Path to files list file

ips.trellix.broker_ca_bundle

string

Path to broker CA bundle

ips.trellix.cert_file

string

Path to certificate file

ips.trellix.private_key

string

Path to private key file

ips.infoblox

object

Show child attributes

ips.infoblox.active

boolean

ips.infoblox.username

string

Infoblox username

ips.infoblox.password

string

Infoblox password

ips.infoblox.api

string

Infoblox API endpoint

ips.infoblox.group

string

Infoblox group

ips.infoblox.policy

string

Infoblox policy

ips.infoblox.action

string

Infoblox action

ips.infoblox.view

string

Infoblox view

ips.infoblox.domains_file

string

Path to domains file

ips.infoblox.domains_file_whitelist

string

Path to domains whitelist file

ips.infoblox.api_whitelist_url

string

API whitelist URL

ips.forcepoint

object

Show child attributes

ips.forcepoint.active

boolean

ips.forcepoint.username

string

Forcepoint username

ips.forcepoint.password

string

Forcepoint password

ips.forcepoint.api

string

Forcepoint API endpoint

ips.forcepoint.group

string

Forcepoint group

ips.forcepoint.policy

string

Forcepoint policy

ips.forcepoint.action

string

Forcepoint action

ips.forcepoint.parent

string | null

Parent configuration

ips.forcepoint.urls_file

string

Path to URLs file

Response

WCF Agent created successfully

success

boolean

Example:

true

message

string

Example:

"WCF Agent created successfully"

agent_id

string

Example:

"OFA-AGENT-ID-6QMRfdQp3G0Skkkkkkkk"

Handle WCF Configuration File types

⌘I

API Documentation

IPv4 Feeds

Domain Feeds

URL Feeds

Security Binary

STIX2 Feeds

Secure VPN

WCF Agent API

Tools/Utils

Body

Response