Tha làn chumhachd eadar-obrachaidh le APIan air fhoillseachadh nuair a thèid a chleachdadh còmhla ri còd a’ phrògraim, nuair a bhios e comasach iarrtasan API agus innealan a ghineadh gu dinamach airson mion-sgrùdadh a dhèanamh air freagairtean API. Ach, tha e fhathast neo-aithnichte Python bathar-bog leasachadh kit (air an ainmeachadh an-seo mar Python SDK) airson Check Point Management API, ach gu dìomhain. Bidh e gu mòr a’ sìmpleachadh beatha luchd-leasachaidh agus luchd-dealasach fèin-ghluasaid. Tha Python air fàs mòr-chòrdte o chionn ghoirid agus chuir mi romham am beàrn a lìonadh agus ath-sgrùdadh a dhèanamh air na prìomh fheartan. . Tha an artaigil seo na dheagh chur-ris ri artaigil eile air Habré . Seallaidh sinn air mar a sgrìobhas tu sgriobtaichean a’ cleachdadh an Python SDK agus bheir sinn sùil nas mionaidiche air gnìomhachd ùr Management API ann an dreach 1.6 (le taic bho R80.40). Gus an artaigil a thuigsinn, bidh feum agad air eòlas bunaiteach air a bhith ag obair le APIs agus Python.
Tha Check Point gu gnìomhach a’ leasachadh an API agus an-dràsta chaidh na leanas fhoillseachadh:
- - obraich leis an t-seirbheisiche smachd tro API (agus an comas sgriobtaichean a chuir an gnìomh air geataichean fo smachd an t-seirbheisiche smachd)
- - obraich le geataichean tèarainteachd
- - ag obair le bogsa gainmhich san sgòth Check Point
- — ag obair le lann Mothachadh Aithne air geataichean
- - obraich le portal riaghlaidh geata SMB ()
- - eadar-obrachadh le luchd-riaghlaidh IoT
- - obraich le (Fuasgladh tèarainteachd SD-WAN)
- - obraich le
Chan eil am Python SDK an-dràsta a’ toirt taic ach do eadar-obrachadh leis an API Riaghlaidh agus Gaia API. Bheir sinn sùil air na clasaichean, dòighean-obrach agus caochladairean as cudromaiche sa mhodal seo.
A ’stàladh a’ mhodal
Modal cpapi stàladh gu luath agus gu furasta bho le cuideachadh pip. Tha stiùireadh stàlaidh mionaideach ri fhaighinn ann an . Tha am modal seo air atharrachadh gus obrachadh le tionndaidhean Python 2.7 agus 3.7. San artaigil seo, thèid eisimpleirean a thoirt seachad a’ cleachdadh Python 3.7. Ach, faodar an Python SDK a ruith gu dìreach bhon t-seirbheisiche Check Point Management (Smart Management), ach chan eil iad a’ toirt taic ach do Python 2.7, agus mar sin bheir an earrann mu dheireadh còd airson dreach 2.7. Dìreach às deidh dhut am modal a chuir a-steach, tha mi a ’moladh coimhead air na h-eisimpleirean anns na clàran eisimpleirean_python2 и eisimpleirean_python3.
Getting Started
Gus am bi e comasach dhuinn obrachadh leis na co-phàirtean den mhodal cpapi, feumaidh sinn a thoirt a-steach bhon mhodal cpapi co-dhiù dà chlas a tha a dhìth:
APIClient и APIClientArgs
from cpapi import APIClient, APIClientArgs
Clas APIClientArgs tha e an urra ri crìochan ceangail ris an t-seirbheisiche API, agus an clas APIClient Tha uallach air airson eadar-obrachadh leis an API.
Co-dhùnadh crìochan ceangail
Gus diofar pharaimearan a mhìneachadh airson ceangal ris an API, feumaidh tu eisimpleir den chlas a chruthachadh APIClientArgs. Ann am prionnsabal, tha na crìochan aige ro-mhìnichte agus nuair a bhios iad a 'ruith an sgriobt air an fhrithealaiche smachd, chan fheum iad a bhith air an sònrachadh.
client_args = APIClientArgs()Ach nuair a bhios tu a’ ruith air aoigheachd treas-phàrtaidh, feumaidh tu co-dhiù an seòladh IP no ainm aoigheachd an fhrithealaiche API (ris an canar cuideachd am frithealaiche riaghlaidh). Anns an eisimpleir gu h-ìosal, bidh sinn a’ mìneachadh paramadair ceangail an fhrithealaiche agus a’ sònrachadh seòladh IP an fhrithealaiche riaghlaidh mar shreang.
client_args = APIClientArgs(server='192.168.47.241')Bheir sinn sùil air a h-uile paramadair agus na luachan bunaiteach aca a dh'fhaodar a chleachdadh nuair a nì sinn ceangal ris an fhrithealaiche API:
Argamaidean mun dòigh __init__ den chlas APIClientArgs
class APIClientArgs:
"""
This class provides arguments for APIClient configuration.
All the arguments are configured with their default values.
"""
# port is set to None by default, but it gets replaced with 443 if not specified
# context possible values - web_api (default) or gaia_api
def __init__(self, port=None, fingerprint=None, sid=None, server="127.0.0.1", http_debug_level=0,
api_calls=None, debug_file="", proxy_host=None, proxy_port=8080,
api_version=None, unsafe=False, unsafe_auto_accept=False, context="web_api"):
self.port = port
# management server fingerprint
self.fingerprint = fingerprint
# session-id.
self.sid = sid
# management server name or IP-address
self.server = server
# debug level
self.http_debug_level = http_debug_level
# an array with all the api calls (for debug purposes)
self.api_calls = api_calls if api_calls else []
# name of debug file. If left empty, debug data will not be saved to disk.
self.debug_file = debug_file
# HTTP proxy server address (without "http://")
self.proxy_host = proxy_host
# HTTP proxy port
self.proxy_port = proxy_port
# Management server's API version
self.api_version = api_version
# Indicates that the client should not check the server's certificate
self.unsafe = unsafe
# Indicates that the client should automatically accept and save the server's certificate
self.unsafe_auto_accept = unsafe_auto_accept
# The context of using the client - defaults to web_api
self.context = contextTha mi a’ creidsinn gu bheil na h-argamaidean a ghabhas cleachdadh ann an suidheachaidhean den chlas APIClientArgs intuitive do luchd-rianachd Check Point agus nach fheum iad beachdan a bharrachd.
A’ ceangal tro APIClient agus manaidsear co-theacsa
Clas APIClient Is e am manaidsear co-theacsa an dòigh as freagarraiche air a chleachdadh. Is e a h-uile càil a dh’ fheumar a chuir gu eisimpleir den chlas APIClient na paramadairean ceangail a chaidh a mhìneachadh sa cheum roimhe.
with APIClient(client_args) as client:
Cha dèan am manaidsear co-theacsa gairm logadh a-steach gu fèin-ghluasadach gu frithealaiche API, ach nì e gairm suaicheantas nuair a dh’ fhàgas e e. Mura h-eil feum air logadh a-mach airson adhbhar air choireigin às deidh dhut a bhith ag obair le gairmean API, feumaidh tu tòiseachadh ag obair gun a bhith a’ cleachdadh am manaidsear co-theacsa:
client = APIClient(clieng_args)A ’sgrùdadh a’ cheangail
Is e an dòigh as fhasa faighinn a-mach a bheil an ceangal a ’coinneachadh ris na paramadairean ainmichte a’ cleachdadh an dòigh seic_lorgan-meòir. Ma dh’ fhailicheas dearbhadh an t-suim sha1 hash airson lorgan-meòir teisteanas API an fhrithealaiche (thill am modh ceàrr), mar as trice bidh seo air adhbhrachadh le duilgheadasan ceangail agus is urrainn dhuinn stad a chuir air coileanadh a’ phrògraim (no cothrom a thoirt don neach-cleachdaidh an dàta ceangail a cheartachadh):
if client.check_fingerprint() is False:
print("Could not get the server's fingerprint - Check connectivity with the server.")
exit(1)
Thoir an aire gum bi an clas san àm ri teachd APIClient bheir e sùil air a h-uile gairm API (modh api_call и ceist_ api, bruidhnidh sinn mun deidhinn beagan a bharrachd) teisteanas lorgan-meòir sha1 air an fhrithealaiche API. Ach ma lorgar, nuair a thathar a’ sgrùdadh lorgan-meòir sha1 de theisteanas an fhrithealaiche API, mearachd (chan eil fios air an teisteanas no chaidh atharrachadh), an dòigh seic_lorgan-meòir bheir e cothrom fiosrachadh mu dheidhinn a chuir ris / atharrachadh air an inneal ionadail gu fèin-ghluasadach. Faodar an t-seic seo a chuir à comas gu tur (ach chan urrainnear seo a mholadh ach ma thèid sgriobtaichean a ruith air an fhrithealaiche API fhèin, nuair a tha iad a’ ceangal ri 127.0.0.1), a’ cleachdadh argamaid APIClientArgs - mì-shàbhailte_auto_gabhail ris (faic barrachd mu APIClientArgs na bu thràithe ann an “A’ mìneachadh paramadairean ceangail ”).
client_args = APIClientArgs(unsafe_auto_accept=True)Log a-steach gu frithealaiche API
У APIClient tha uimhir ri 3 dòighean ann airson logadh a-steach don t-seirbheisiche API, agus tha gach fear dhiubh a’ tuigsinn a’ bhrìgh sid(session-id), a thèid a chleachdadh gu fèin-ghluasadach anns gach gairm API às deidh sin anns a’ bhann-cinn (is e an t-ainm ann am bann-cinn a’ pharamadair seo X-chkp-taobh), mar sin chan fheumar am paramadair seo a phròiseasadh tuilleadh.
dòigh logadh a-steach
Roghainn a’ cleachdadh logadh a-steach agus facal-faire (san eisimpleir, tha an t-ainm neach-cleachdaidh admin agus facal-faire 1q2w3e air an toirt seachad mar argamaidean suidheachaidh):
login = client.login('admin', '1q2w3e') Tha paramadairean roghainneil a bharrachd rim faighinn cuideachd anns an dòigh logaidh a-steach; seo na h-ainmean agus na luachan bunaiteach aca:
continue_last_session=False, domain=None, read_only=False, payload=NoneLog a-steach_with_api_key modh
Roghainn a’ cleachdadh iuchair api (le taic bho dhreach riaghlaidh R80.40/Management API v1.6, "3TsbPJ8ZKjaJGvFyoFqHFA==" is e seo am prìomh luach API airson aon de na cleachdaichean air an t-seirbheisiche riaghlaidh leis a’ phrìomh dhòigh ceadachaidh API):
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==') Ann am modh login_with_api_key tha na h-aon pharaimearan roghainneil rim faighinn sa mhodh login.
login_as_root modh
Roghainn airson logadh a-steach gu inneal ionadail le frithealaiche API:
login = client.login_as_root()Chan eil ach dà pharamadair roghainneil ri fhaighinn airson an dòigh seo:
domain=None, payload=NoneAgus mu dheireadh tha an API ga ghairm fhèin
Tha dà roghainn againn gus gairmean API a dhèanamh tro dhòighean api_call и ceist_ api. Feuch sinn a-mach dè an diofar a tha eatorra.
api_call
Tha an dòigh seo iomchaidh airson gairmean sam bith. Feumaidh sinn a dhol seachad air a’ phàirt mu dheireadh airson gairm api agus uallach pàighidh anns a’ bhuidheann iarrtas ma tha sin riatanach. Ma tha an t-uallach pàighidh falamh, chan urrainn dha a bhith air a chraoladh idir:
api_versions = client.api_call('show-api-versions') Toradh airson an iarrtais seo fon ghearradh:
In [23]: api_versions
Out[23]:
APIResponse({
"data": {
"current-version": "1.6",
"supported-versions": [
"1",
"1.1",
"1.2",
"1.3",
"1.4",
"1.5",
"1.6"
]
},
"res_obj": {
"data": {
"current-version": "1.6",
"supported-versions": [
"1",
"1.1",
"1.2",
"1.3",
"1.4",
"1.5",
"1.6"
]
},
"status_code": 200
},
"status_code": 200,
"success": true
})
show_host = client.api_call('show-host', {'name' : 'h_8.8.8.8'})Toradh airson an iarrtais seo fon ghearradh:
In [25]: show_host
Out[25]:
APIResponse({
"data": {
"color": "black",
"comments": "",
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"groups": [],
"icon": "Objects/host",
"interfaces": [],
"ipv4-address": "8.8.8.8",
"meta-info": {
"creation-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"creator": "admin",
"last-modifier": "admin",
"last-modify-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"lock": "unlocked",
"validation-state": "ok"
},
"name": "h_8.8.8.8",
"nat-settings": {
"auto-rule": false
},
"read-only": false,
"tags": [],
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
},
"res_obj": {
"data": {
"color": "black",
"comments": "",
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"groups": [],
"icon": "Objects/host",
"interfaces": [],
"ipv4-address": "8.8.8.8",
"meta-info": {
"creation-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"creator": "admin",
"last-modifier": "admin",
"last-modify-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"lock": "unlocked",
"validation-state": "ok"
},
"name": "h_8.8.8.8",
"nat-settings": {
"auto-rule": false
},
"read-only": false,
"tags": [],
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
},
"status_code": 200
},
"status_code": 200,
"success": true
})
ceist_ api
Leig leam glèidheadh sa bhad nach eil an dòigh seo buntainneach ach airson fiosan a tha an toradh a’ toirt a-steach cuir an aghaidh. Bidh co-dhùnadh mar seo a’ tachairt nuair a tha no ma dh’ fhaodadh tòrr fiosrachaidh a bhith ann. Mar eisimpleir, dh’ fhaodadh seo a bhith na iarrtas airson liosta de na nithean aoigheachd a chaidh a chruthachadh air an fhrithealaiche riaghlaidh. Airson iarrtasan mar sin, tillidh an API liosta de 50 rud gu bunaiteach (faodaidh tu a’ chrìoch àrdachadh gu 500 rud san fhreagairt). Agus gus nach tarraing thu am fiosrachadh grunn thursan, ag atharrachadh am paramadair dheth san iarrtas API, tha dòigh api_query ann a nì an obair seo gu fèin-ghluasadach. Eisimpleirean de ghairmean far a bheil feum air an dòigh seo: seiseanan taisbeanaidh, aoigheachdan taisbeanaidh, lìonraidhean taisbeanaidh, cairtean-fiadhaich, buidhnean taisbeanaidh, raointean seòlaidh taisbeanaidh, geataichean seallaidh-sìmplidh, cruinneachaidhean taisbeanaidh-sìmplidh, dreuchdan taisbeanaidh, luchd-dèiligidh earbsach, pacaidean taisbeanaidh. Gu dearbh, chì sinn faclan iolra ann an ainm nan gairmean API sin, agus mar sin bidh e nas fhasa na gairmean sin a làimhseachadh troimhe ceist_ api
show_hosts = client.api_query('show-hosts') Toradh airson an iarrtais seo fon ghearradh:
In [21]: show_hosts
Out[21]:
APIResponse({
"data": [
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "192.168.47.1",
"name": "h_192.168.47.1",
"type": "host",
"uid": "5d7d7086-d70b-4995-971a-0583b15a2bfc"
},
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "8.8.8.8",
"name": "h_8.8.8.8",
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
}
],
"res_obj": {
"data": {
"from": 1,
"objects": [
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "192.168.47.1",
"name": "h_192.168.47.1",
"type": "host",
"uid": "5d7d7086-d70b-4995-971a-0583b15a2bfc"
},
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "8.8.8.8",
"name": "h_8.8.8.8",
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
}
],
"to": 2,
"total": 2
},
"status_code": 200
},
"status_code": 200,
"success": true
})
A’ làimhseachadh toraidhean gairmean API
Às deidh seo faodaidh tu caochladairean agus dòighean a’ chlas a chleachdadh Freagairt API(an dà chuid taobh a-staigh manaidsear co-theacsa agus taobh a-muigh). Aig a’ chlas Freagairt API Tha dòighean 4 agus caochladairean 5 ro-mhìnichte; bidh sinn a’ fuireach air an fheadhainn as cudromaiche ann am barrachd mionaideachd.
soirbheachadh
An toiseach, bhiodh e na dheagh bheachd dèanamh cinnteach gu robh an gairm API soirbheachail agus gun do thill e toradh. Tha dòigh-obrach ann airson seo soirbheachadh:
In [49]: api_versions.success
Out[49]: True
Tilleadh Fìor ma bha an gairm API soirbheachail (còd freagairt - 200) agus meallta mura robh e soirbheachail (còd freagairt sam bith eile). Tha e goireasach a chleachdadh sa bhad às deidh gairm API gus fiosrachadh eadar-dhealaichte a thaisbeanadh a rèir a’ chòd freagairt.
if api_ver.success:
print(api_versions.data)
else:
print(api_versions.err_message) còd inbhe
Tillidh e an còd freagairt às deidh gairm API a bhith air a dhèanamh.
In [62]: api_versions.status_code
Out[62]: 400
Còdan freagairt comasach: 200,400,401,403,404,409,500,501.
seata_soirbheachas_inbhe
Anns a 'chùis seo, is dòcha gum feumar luach an inbhe soirbheachaidh atharrachadh. Gu teicnigeach, faodaidh tu rud sam bith a chuir ann, eadhon sreang àbhaisteach. Ach bhiodh fìor eisimpleir ann a bhith ag ath-shuidheachadh am paramadair seo gu meallta fo chumhachan sònraichte na chois. Gu h-ìosal, thoir aire don eisimpleir nuair a tha gnìomhan a’ ruith air an fhrithealaiche riaghlaidh, ach beachdaichidh sinn nach eil an t-iarrtas seo soirbheachail (cuiridh sinn an caochladair soirbheachais gu ceàrr, a dh'aindeoin gun robh an gairm API soirbheachail agus thill e còd 200).
for task in task_result.data["tasks"]:
if task["status"] == "failed" or task["status"] == "partially succeeded":
task_result.set_success_status(False)
breakfreagairt()
Leigidh am modh freagairt leat am faclair fhaicinn leis a’ chòd freagairt (status_code) agus am buidheann freagairt (corp).
In [94]: api_versions.response()
Out[94]:
{'status_code': 200,
'data': {'current-version': '1.6',
'supported-versions': ['1', '1.1', '1.2', '1.3', '1.4', '1.5', '1.6']}}
dàta
A’ leigeil leat dìreach corp an fhreagairt (corp) fhaicinn gun fhiosrachadh neo-riatanach.
In [93]: api_versions.data
Out[93]:
{'current-version': '1.6',
'supported-versions': ['1', '1.1', '1.2', '1.3', '1.4', '1.5', '1.6']}
error_message
Chan eil am fiosrachadh seo ri fhaighinn ach nuair a thachair mearachd fhad ‘s a bha sinn a’ giullachd an iarrtais API (còd freagairt chan eil 200). Toradh eisimpleir
In [107]: api_versions.error_message
Out[107]: 'code: generic_err_invalid_parameter_namenmessage: Unrecognized parameter [1]n'
Eisimpleirean feumail
Tha na leanas nan eisimpleirean a tha a’ cleachdadh na gairmean API a chaidh a chur ris ann an Management API 1.6.
An toiseach, leig dhuinn sùil a thoirt air mar a tha gairmean ag obair add-aoigheachd и add-seòladh-raon. Canaidh sinn gum feum sinn a h-uile seòladh IP den subnet 192.168.0.0 / 24 a chruthachadh, agus is e an octet mu dheireadh 5, mar nithean den t-seòrsa aoigheachd, agus a h-uile seòladh IP eile a sgrìobhadh mar nithean den t-seòrsa raon seòlaidh. Anns a 'chùis seo, cuir a-mach an seòladh subnet agus seòladh craolaidh.
Mar sin, gu h-ìosal tha sgriobt a dh’ fhuasglas an duilgheadas seo agus a chruthaicheas 50 rud den t-seòrsa aoigheachd agus 51 rud den t-seòrsa raon seòlaidh. Gus an duilgheadas fhuasgladh, tha feum air fiosan 101 API (gun a bhith a’ cunntadh a ’ghairm foillseachaidh mu dheireadh). Cuideachd, a’ cleachdadh a’ mhodal timeit, bidh sinn a’ tomhas na h-ùine a bheir e gus an sgriobt a chur an gnìomh gus an tèid na h-atharrachaidhean fhoillseachadh.
Sgriobt a’ cleachdadh add-host agus add-address-range
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
first_ip = 1
last_ip = 4
client_args = APIClientArgs(server="192.168.47.240")
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
for ip in range(5,255,5):
add_host = client.api_call("add-host", {"name" : f"h_192.168.0.{ip}", "ip-address": f'192.168.0.{ip}'})
while last_ip < 255:
add_range = client.api_call("add-address-range", {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"})
first_ip+=5
last_ip+=5
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
Anns an àrainneachd obair-lann agam, bheir an sgriobt seo eadar 30 agus 50 diogan airson a chuir gu bàs, a rèir an luchd air an t-seirbheisiche riaghlaidh.
A-nis chì sinn mar a dh ’fhuasglas tu an aon dhuilgheadas le bhith a’ cleachdadh gairm API cuir-ris-batch, agus chaidh taic a chuir ris ann an dreach API 1.6. Leigidh a’ ghairm seo leat iomadh rud a chruthachadh aig an aon àm ann an aon iarrtas API. A bharrachd air an sin, faodaidh iad seo a bhith nan nithean de dhiofar seòrsa (mar eisimpleir, luchd-aoigheachd, subnets agus raointean seòlaidh). Mar sin, faodar an obair againn fhuasgladh taobh a-staigh frèam aon ghairm API.
Sgriobt a’ cleachdadh add-objects-batch
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}', "ip-address": f'192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
add_objects_batch = client.api_call("add-objects-batch", data_for_batch)
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
Agus bheir ruith an sgriobt seo san àrainneachd obair-lann agam bho 3 gu 7 diogan, a rèir an luchd air an t-seirbheisiche riaghlaidh. Is e sin, gu cuibheasach, air 101 nì API, bidh gairm seòrsa baidse a’ ruith 10 tursan nas luaithe. Air àireamh nas motha de nithean bidh an eadar-dhealachadh eadhon nas drùidhtiche.
A-nis chì sinn mar a dh'obraicheas tu leis seata-rudan-batch. A’ cleachdadh a’ ghairm API seo, is urrainn dhuinn atharrachadh mòr a dhèanamh air paramadair sam bith. Feuch an cuir sinn a 'chiad leth de na seòlaidhean bhon eisimpleir roimhe (suas gu .124 hosts, agus raointean cuideachd) chun an dath sienna, agus sònraich an dath khaki chun dàrna leth de na seòlaidhean.
Ag atharrachadh dath nan nithean a chaidh a chruthachadh san eisimpleir roimhe
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip_first = []
objects_list_range_first = []
objects_list_ip_second = []
objects_list_range_second = []
for ip in range(5,125,5):
data = {"name": f'h_192.168.0.{ip}', "color": "sienna"}
objects_list_ip_first.append(data)
for ip in range(125,255,5):
data = {"name": f'h_192.168.0.{ip}', "color": "khaki"}
objects_list_ip_second.append(data)
first_ip = 1
last_ip = 4
while last_ip < 125:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "sienna"}
objects_list_range_first.append(data)
first_ip+=5
last_ip+=5
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "khaki"}
objects_list_range_second.append(data)
first_ip+=5
last_ip+=5
data_for_batch_first = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_first
}, {
"type" : "address-range",
"list" : objects_list_range_first
}]
}
data_for_batch_second = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_second
}, {
"type" : "address-range",
"list" : objects_list_range_second
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
set_objects_batch_first = client.api_call("set-objects-batch", data_for_batch_first)
set_objects_batch_second = client.api_call("set-objects-batch", data_for_batch_second)
publish = client.api_call("publish")
Faodaidh tu grunn nithean a dhubhadh às ann an aon ghairm API a’ cleachdadh sguabadh às-rudan-batch. A-nis leig dhuinn sùil a thoirt air eisimpleir còd a sguabas às a h-uile neach-aoigheachd a chaidh a chruthachadh roimhe seo cuir-ris-batch.
Sguab às nithean a’ cleachdadh delete-objects-batch
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
delete_objects_batch = client.api_call("delete-objects-batch", data_for_batch)
publish = client.api_call("publish")
print(delete_objects_batch.data)
Bidh a h-uile gnìomh a nochdas ann am fiosan ùra de bhathar-bog Check Point a’ faighinn fiosan API sa bhad. Mar sin, ann an R80.40 nochd “feartan” leithid Tilleadh gu ath-sgrùdadh agus Smart Task, agus chaidh fiosan API co-fhreagarrach ullachadh dhaibh sa bhad. A bharrachd air an sin, bidh a h-uile gnìomh nuair a ghluaiseas tu bho consolaidhean Dìleab gu modh Poileasaidh Aonaichte cuideachd a’ faighinn taic API. Mar eisimpleir, b’ e an ùrachadh ris an robhar a’ feitheamh o chionn fhada ann an dreach bathar-bog R80.40 gluasad poileasaidh Sgrùdaidh HTTPS bho mhodh Dìleab gu modh Poileasaidh Aonaichte, agus fhuair an gnìomh seo fiosan API sa bhad. Seo eisimpleir de chòd a tha a’ cur riaghailt ri suidheachadh àrd poileasaidh sgrùdaidh HTTPS a tha a’ dùnadh a-mach 3 roinnean bho sgrùdadh (Slàinte, Ionmhas, Seirbheisean Riaghaltais), a tha toirmisgte bho sgrùdadh a rèir an lagha ann an grunn dhùthchannan.
Cuir riaghailt ri poileasaidh sgrùdaidh HTTPS
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
data = {
"layer" : "Default Layer",
"position" : "top",
"name" : "Legal Requirements",
"action": "bypass",
"site-category": ["Health", "Government / Military", "Financial Services"]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
add_https_rule = client.api_call("add-https-rule", data)
publish = client.api_call("publish")
A’ ruith sgriobtaichean Python air frithealaiche riaghlaidh Check Point
Tha a h-uile dad mar an ceudna tha fiosrachadh ann air mar a ruitheas tu sgriobtaichean Python gu dìreach bhon t-seirbheisiche smachd. Faodaidh seo a bhith goireasach nuair nach urrainn dhut ceangal ris an fhrithealaiche API bho inneal eile. Chlàr mi bhidio sia mionaidean anns am bi mi a’ coimhead air a’ mhodal a stàladh cpapi agus feartan ruith sgriobtaichean Python air an fhrithealaiche smachd. Mar eisimpleir, tha sgriobt air a ruith a nì fèin-ghluasad air rèiteachadh geata ùr airson gnìomh leithid sgrùdadh lìonra Sgrùdadh tèarainteachd. Am measg nam feartan ris an robh agam ri dèiligeadh: chan eil an gnìomh fhathast air nochdadh ann am Python 2.7 -steach, mar sin gus am fiosrachadh a thig an neach-cleachdaidh a-steach a phròiseasadh, thèid gnìomh a chleachdadh amh_a-steach. Rud eile, tha an còd an aon rud ri cur air bhog bho innealan eile, a-mhàin tha e nas goireasaiche an gnìomh a chleachdadh login_as_root, gus nach sònraich thu d’ ainm-cleachdaidh, facal-faire agus seòladh IP an fhrithealaiche riaghlaidh a-rithist.
Sgriobt airson suidheachadh sgiobalta de Sgrùdadh Tèarainteachd
from __future__ import print_function
import getpass
import sys, os
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
from cpapi import APIClient, APIClientArgs
def main():
with APIClient() as client:
# if client.check_fingerprint() is False:
# print("Could not get the server's fingerprint - Check connectivity with the server.")
# exit(1)
login_res = client.login_as_root()
if login_res.success is False:
print("Login failed:n{}".format(login_res.error_message))
exit(1)
gw_name = raw_input("Enter the gateway name:")
gw_ip = raw_input("Enter the gateway IP address:")
if sys.stdin.isatty():
sic = getpass.getpass("Enter one-time password for the gateway(SIC): ")
else:
print("Attention! Your password will be shown on the screen!")
sic = raw_input("Enter one-time password for the gateway(SIC): ")
version = raw_input("Enter the gateway version(like RXX.YY):")
add_gw = client.api_call("add-simple-gateway", {'name' : gw_name, 'ipv4-address' : gw_ip, 'one-time-password' : sic, 'version': version.capitalize(), 'application-control' : 'true', 'url-filtering' : 'true', 'ips' : 'true', 'anti-bot' : 'true', 'anti-virus' : 'true', 'threat-emulation' : 'true'})
if add_gw.success and add_gw.data['sic-state'] != "communicating":
print("Secure connection with the gateway hasn't established!")
exit(1)
elif add_gw.success:
print("The gateway was added successfully.")
gw_uid = add_gw.data['uid']
gw_name = add_gw.data['name']
else:
print("Failed to add the gateway - {}".format(add_gw.error_message))
exit(1)
change_policy = client.api_call("set-access-layer", {"name" : "Network", "applications-and-url-filtering": "true", "content-awareness": "true"})
if change_policy.success:
print("The policy has been changed successfully")
else:
print("Failed to change the policy- {}".format(change_policy.error_message))
change_rule = client.api_call("set-access-rule", {"name" : "Cleanup rule", "layer" : "Network", "action": "Accept", "track": {"type": "Detailed Log", "accounting": "true"}})
if change_rule.success:
print("The cleanup rule has been changed successfully")
else:
print("Failed to change the cleanup rule- {}".format(change_rule.error_message))
# publish the result
publish_res = client.api_call("publish", {})
if publish_res.success:
print("The changes were published successfully.")
else:
print("Failed to publish the changes - {}".format(install_tp_policy.error_message))
install_access_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'true', "threat-prevention" : 'false', "targets" : gw_uid})
if install_access_policy.success:
print("The access policy has been installed")
else:
print("Failed to install access policy - {}".format(install_tp_policy.error_message))
install_tp_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'false', "threat-prevention" : 'true', "targets" : gw_uid})
if install_tp_policy.success:
print("The threat prevention policy has been installed")
else:
print("Failed to install threat prevention policy - {}".format(install_tp_policy.error_message))
# add passwords and passphrases to dictionary
with open('additional_pass.conf') as f:
line_num = 0
for line in f:
line_num += 1
add_password_dictionary = client.api_call("run-script", {"script-name" : "Add passwords and passphrases", "script" : "printf "{}" >> $FWDIR/conf/additional_pass.conf".format(line), "targets" : gw_name})
if add_password_dictionary.success:
print("The password dictionary line {} was added successfully".format(line_num))
else:
print("Failed to add the dictionary - {}".format(add_password_dictionary.error_message))
main() Faidhle eisimpleir le faclair facal-faire extra_pass.conf
{
"passwords" : ["malware","malicious","infected","Infected"],
"phrases" : ["password","Password","Pass","pass","codigo","key","pwd","пароль","Пароль","Ключ","ключ","шифр","Шифр"]
}
co-dhùnadh
Chan eil an artaigil seo a’ sgrùdadh ach na cothroman obrach bunaiteach Python airson SDK agus modal cpapi(mar is dòcha gu robh thu air smaoineachadh, is e co-fhaclan a tha seo), agus le bhith a’ sgrùdadh a’ chòd sa mhodal seo gheibh thu a-mach eadhon barrachd chothroman ann a bhith ag obair leis. Tha e comasach gum bi thu airson a chuir ris leis na clasaichean, gnìomhan, modhan agus caochladairean agad fhèin. Faodaidh tu an obair agad a cho-roinn an-còmhnaidh agus coimhead air sgriobtaichean eile airson Check Point san roinn sa choimhearsnachd , a tha a’ toirt an dà chuid luchd-leasachaidh toraidh agus luchd-cleachdaidh còmhla.
Còdachadh sona agus taing airson leughadh chun deireadh!
Source: www.habr.com