Na tabbata duk wanda ya taba yin aiki da shi , an yi korafi akai rashin yiwuwar gyara saitin daga layin umarni. Wannan baƙon abu ne musamman ga waɗanda suka yi aiki a baya tare da Cisco ASA, inda za a iya daidaita komai gaba ɗaya a cikin CLI. Tare da Check Point ita ce sauran hanyar - duk saitunan tsaro an yi su ne kawai daga mahaɗar hoto. Duk da haka, wasu abubuwa ba su da daɗi don yin ta hanyar GUI (ko da ɗaya kamar yadda ya dace kamar Check Point's). Misali, aikin ƙara sabbin runduna 100 ko hanyoyin sadarwa yana juya zuwa hanya mai tsawo da wahala. Ga kowane abu dole ne ka danna linzamin kwamfuta sau da yawa kuma shigar da adireshin IP. Haka ke don ƙirƙirar rukunin rukunin yanar gizo ko yawan kunna / kashe sa hannun IPS. A wannan yanayin, akwai babban yiwuwar yin kuskure.
Wani “abin al’ajabi” ya faru kwanan nan. Tare da fitowar sabon sigar Gaba R80 an sanar da damar API mai amfani, wanda ke buɗe damar da yawa don sarrafa saitunan atomatik, gudanarwa, saka idanu, da sauransu. Yanzu za ku iya:
- ƙirƙirar abubuwa;
- ƙara ko gyara lissafin shiga;
- kunna / kashe ruwan wukake;
- saita hanyoyin sadarwa na cibiyar sadarwa;
- shigar da manufofin;
- da yawa.
A gaskiya, ban fahimci yadda wannan labarin ya wuce ta Habr ba. A cikin wannan labarin za mu ɗan bayyana yadda ake amfani da API kuma mu ba da misalai masu amfani da yawa. Saitunan CheckPoint ta amfani da rubutun.
Ina so in yi ajiyar wuri nan da nan cewa API ɗin ana amfani da shi don uwar garken Gudanarwa kawai. Wadancan. Har yanzu ba shi yiwuwa a sarrafa ƙofofin ba tare da uwar garken Gudanarwa ba.
Wanene zai iya amfani da wannan API bisa ƙa'ida?
- Masu gudanar da tsarin waɗanda ke son sauƙaƙe ko sarrafa ayyukan daidaitawa na Check Point na yau da kullun;
- Kamfanonin da suke son haɗawa Check Point tare da wasu mafita (tsarin haɓakawa, tsarin tikiti, tsarin sarrafa sanyi, da sauransu);
- Masu haɗa tsarin da ke son daidaita saituna ko ƙirƙirar ƙarin samfura masu alaƙa da Dubawa.
Tsarin al'ada
Don haka, bari mu yi tunanin tsari na yau da kullun tare da Check Point:
Kamar kullum muna da ƙofa (ƙofa)SG), uwar garken gudanarwa (SMSda admin console (SmartConsole). A wannan yanayin, tsarin daidaita ƙofa na yau da kullun yayi kama da haka:
Wadancan. Da farko kuna buƙatar kunna kwamfutar mai gudanarwa SmartConsole, wanda muke haɗawa da uwar garken Gudanarwa (SMS). Ana yin saitunan tsaro akan SMS, sannan kawai a yi amfani da su (shigar da manufofin) zuwa gateway (SG).
Lokacin amfani API ɗin Gudanarwa, Za mu iya m tsallake batu na farko (kaddamar da SmartConsole) da amfani API umarni kai tsaye zuwa uwar garken Gudanarwa (SMS).
Hanyoyin amfani da API
Akwai manyan hanyoyi guda huɗu don gyara daidaitawar ta amfani da API:
1) Amfani da mgmt_cli mai amfani
Misali - # mgmt_cli ƙara sunan mai masaukin baki1 ip-address 192.168.2.100
Ana gudanar da wannan umarni daga layin umarni na Server (SMS). Ina tsammanin tsarin tsarin umarnin a bayyane yake - an ƙirƙiri mai watsa shiri1 tare da adireshin 192.168.2.100.
2) Shigar da umarnin API ta hanyar dannawa (a cikin yanayin ƙwararru)
Ainihin, duk abin da kuke buƙatar yi shine shiga cikin layin umarni (login mgmt) ƙarƙashin asusun da ake amfani dashi lokacin haɗawa ta SmartConsole (ko tushen asusun). Sannan zaku iya shiga API umarni (a wannan yanayin babu buƙatar amfani da mai amfani kafin kowane umarni mgmt_cli). Kuna iya ƙirƙirar cikakken aiki Rubutun BASH. Misalin rubutun da mai watsa shiri ya ƙirƙira:
Rubutun Bash
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
Idan kuna sha'awar, kuna iya kallon bidiyon da ya dace:
3) Ta hanyar SmartConsole ta buɗe taga CLI
Duk abin da kuke buƙatar yi shine buɗe taga CLI kai tsaye daga SmartConsole, kamar yadda aka nuna a hoton da ke ƙasa.
A cikin wannan taga, zaku iya fara shigar da umarnin API nan da nan.
4) Ayyukan Yanar Gizo. Yi amfani da buƙatun HTTPS (REST API)
A ra'ayinmu, wannan yana daya daga cikin mafi kyawun hanyoyi, saboda yana ba ku damar “gina” gabaɗayan aikace-aikacen bisa ga sarrafa uwar garken (yi hakuri da tautology). A ƙasa za mu kalli wannan hanya a ɗan ƙarin daki-daki.
Don taƙaitawa:
- API + cli mafi dacewa ga mutanen da aka yi amfani da su zuwa Cisco;
- API + harsashi don yin amfani da rubutun da yin ayyuka na yau da kullum;
- REST API don sarrafa kansa.
Kunna API ɗin
Ta hanyar tsoho, ana kunna API akan sabar gudanarwa tare da fiye da 4GB na RAM da kuma saiti na tsaye tare da fiye da 8GB na RAM. Kuna iya bincika hali ta amfani da umarnin: api status
Idan ya bayyana cewa api ba shi da rauni, to yana da sauƙin kunna ta ta SmartConsole: Sarrafa & Saituna > Ruwan Wuta > API ɗin Gudanarwa > Babban Saituna
Sannan buga (buga) canza kuma gudanar da umurnin api sake kunnawa.
Buƙatun Yanar Gizo + Python
Don aiwatar da umarnin API, zaku iya amfani da buƙatun yanar gizo ta amfani da Python da dakunan karatu buƙatun, json. Gabaɗaya, tsarin buƙatar gidan yanar gizo ya ƙunshi sassa uku:
1) Adireshi
(https://<managemenet server>:<port>/web_api/<command>)
2) HTTP Headers
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
3) Neman lodi
Rubutu a cikin tsarin JSON mai ɗauke da sigogi daban-daban
Misali don kiran umarni daban-daban:
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == “”:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
Anan akwai ƴan ayyuka na yau da kullun waɗanda kuke yawan haɗuwa da su yayin gudanar da Binciken Dubawa.
1) Misalin izini da ayyukan fita:
Rubutun
payload = {‘user’: ‘your_user’, ‘password’ : ‘your_password’}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) Kunna ruwan wukake da kafa hanyar sadarwa:
Rubutun
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
3) Canja dokokin Firewall:
Rubutun
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
4) Ƙara Layer Layer:
Rubutun
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) Buga kuma saita manufofin, duba aiwatar da umarnin (task-id):
Rubutun
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) Ƙara mai masaukin baki:
Rubutun
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
7) Ƙara filin Rigakafin Barazana:
Rubutun
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
8) Duba jerin zaman
Rubutun
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
9) Ƙirƙiri sabon bayanin martaba:
Rubutun
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
10) Canja aikin don sa hannun IPS:
Rubutun
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) Ƙara sabis ɗin ku:
Rubutun
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) Ƙara rukuni, rukunin yanar gizo ko rukuni:
Rubutun
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
Bugu da ƙari, tare da taimako API na Yanar gizo za ka iya ƙarawa da cire cibiyoyin sadarwa, runduna, matsayin dama, da sauransu. Ana iya keɓance ruwan wukake Antivirus, Antibot, IPS, VPN. Har ma yana yiwuwa a shigar da lasisi ta amfani da umarnin run-rubutu. Ana iya samun duk umarnin API na Check Point anan .
Duba Point API + Postman
Hakanan dace don amfani Duba Point Yanar Gizo API tare da . Postman yana da nau'ikan tebur don Windows, Linux da MacOS. Bugu da kari, akwai plugin don Google Chrome. Wannan shi ne abin da za mu yi amfani da shi. Da farko kuna buƙatar nemo ma'aikacin gidan waya a cikin Google Chrome Store kuma shigar:
Yin amfani da wannan kayan aiki, za mu iya samar da buƙatun Yanar Gizo zuwa API Check Point. Don kada a tuna da duk umarnin API, yana yiwuwa a shigo da abin da ake kira tarin (samfurin), wanda ya riga ya ƙunshi duk umarni masu mahimmanci:
zaku samu tarin to R80.10. Bayan an shigo da shi, samfuran umarnin API za su kasance a gare mu:
A ganina, wannan ya dace sosai. Kuna iya fara haɓaka aikace-aikace da sauri ta amfani da Check Point API.
Duba Point + Mai yiwuwa
Ina kuma so in lura cewa akwai Mai yiwuwa don CheckPoint API. Tsarin yana ba ku damar sarrafa saiti, amma bai dace sosai ba don magance matsaloli masu ban mamaki. Rubutun rubutun a cikin kowane yaren shirye-shirye yana ba da mafi sassauƙa da mafita masu dacewa.
ƙarshe
Anan ne wataƙila za mu gama taƙaitaccen bitar mu na Check Point API. A ganina, wannan fasalin ya kasance ana jira sosai kuma ya zama dole. Samuwar API ɗin yana buɗe dama mai faɗi sosai ga duka masu gudanar da tsarin da masu haɗa tsarin waɗanda ke aiki tare da samfuran Check Point. Ƙaddamarwa, aiki da kai, amsa SIEM... yana yiwuwa a yanzu.
PS Ƙarin labarai game da kamar kullum za ku iya samunsa a shafinmu ko a kan blog a .
PSS Don tambayoyin fasaha masu alaƙa da kafa Check Point, za ku iya
Masu amfani da rajista kawai za su iya shiga cikin binciken. don Allah.
Kuna shirin amfani da API?
-
70,6%Da 12
-
23,5%No4
-
5,9%Ya riga yana amfani1
17 masu amfani sun kada kuri'a. Masu amfani 3 sun kaurace.
source: www.habr.com