ʻIke wau i kēlā me kēia mea i hana pū me , aia he hoʻopiʻi e pili ana hiki ʻole ke hoʻoponopono i ka hoʻonohonoho ʻana mai ka laina kauoha. He mea kupanaha loa kēia no ka poʻe i hana mua me Cisco ASA, kahi e hiki ai ke hoʻonohonoho pono i nā mea āpau i ka CLI. Me ka Check Point, ʻo ia ke ala ʻē aʻe - ua hana wale ʻia nā hoʻonohonoho palekana āpau mai ke kiʻi kiʻi. Eia naʻe, paʻakikī loa kekahi mau mea e hana ai ma o ka GUI (ʻoiai hoʻokahi e like me ka Check Point's). No ka laʻana, ʻo ka hana o ka hoʻohui ʻana i 100 mau pūʻali hou a i ʻole nā pūnaewele e lilo i kaʻina hana lōʻihi a paʻakikī. No kēlā me kēia mea pono ʻoe e kaomi i ka ʻiole i nā manawa he nui a komo i ka helu IP. Pēlā nō ka hana ʻana i kahi pūʻulu o nā pūnaewele a i ʻole ka hoʻohana ʻana i nā pūlima IPS. I kēia hihia, aia kahi kiʻekiʻe o ka hana hewa.
Ua hana ʻia kahi "hana mana" i kēia manawa. Me ka hoʻokuʻu ʻana o ka mana hou Gaia R80 ua hoʻolaha ʻia ka manawa kūpono Hoʻohana API, e wehe ana i nā manawa ākea no ka hoʻonohonoho ʻana i nā hoʻonohonoho, hoʻokele, nānā, etc. I kēia manawa hiki iā ʻoe:
- hana i nā mea;
- hoʻohui a hoʻoponopono i nā papa inoa komo;
- hiki ke hoʻopau i nā lau;
- hoʻonohonoho i nā kikowaena pūnaewele;
- hoʻokomo i nā kulekele;
- a nui aku.
ʻO kaʻoiaʻiʻo, ʻaʻole maopopo iaʻu pehea i hala ai kēia nūhou e Habr. Ma kēia ʻatikala e wehewehe pōkole mākou i ka hoʻohana ʻana i ka API a hāʻawi i kekahi mau hiʻohiʻona kūpono. Nā hoʻonohonoho CheckPoint me ka hoʻohana ʻana i nā palapala.
Makemake au e hoʻopaʻa koke no ka hoʻohana ʻana o ka API no ka server Management. ʻO kēlā mau mea. ʻAʻole hiki ke hoʻokele i nā ʻīpuka me ka ʻole o kahi kikowaena Management.
ʻO wai ka mea hiki ke hoʻohana i kēia API ma ke kumu?
- ʻO nā luna hoʻoponopono pūnaewele makemake e hoʻomaʻamaʻa a hoʻokaʻawale i nā hana hoʻonohonoho maʻamau Check Point;
- ʻO nā hui e makemake ana e hoʻohui i ka Check Point me nā hoʻonā ʻē aʻe (nā ʻōnaehana virtualization, nā ʻōnaehana tiketi, nā ʻōnaehana hoʻonohonoho hoʻonohonoho, etc.);
- ʻO nā mea hoʻohui pūnaewele e makemake ana e hoʻoponopono i nā hoʻonohonoho a i ʻole e hana i nā huahana pili i ka Check Point.
Kūlana maʻamau
No laila, e noʻonoʻo kākou i kahi hoʻolālā maʻamau me Check Point:
E like me ka mea maʻamau, loaʻa iā mākou kahi puka (SG), kikowaena hooponopono (SMS) a me ka console admin (SmartConsole). I kēia hihia, ʻo ke kaʻina hana hoʻonohonoho puka maʻamau e like me kēia:
ʻO kēlā mau mea. Pono mua ʻoe e holo ma ke kamepiula o ka luna hoʻomalu SmartConsole, a mākou e hoʻopili ai i ke kikowaena Management (SMS). Hana ʻia nā hoʻonohonoho palekana ma ka SMS, a laila hoʻohana wale ʻia (kulekele hoʻokomo) i ka puka (SG).
Ke hoʻohana nei API hooponopono, hiki iā mākou ke hoʻokuʻu i ka helu mua (hoʻomaka SmartConsole) a hoʻohana Nā kauoha API pololei i ke kikowaena Management (SMS).
Nā ala e hoʻohana ai i ka API
ʻEhā mau ala nui e hoʻoponopono ai i ka hoʻonohonoho ʻana me ka API:
1) Ke hoʻohana nei i ka pono mgmt_cli
Laʻana - # mgmt_cli hoʻohui i ka inoa host1 ip-address 192.168.2.100
Holo kēia kauoha mai ka laina kauoha Management Server (SMS). Manaʻo wau ua maopopo ka syntax o ke kauoha - ua hana ʻia ʻo host1 me ka helu 192.168.2.100.
2) E hoʻokomo i nā kauoha API ma o clish (ma ke ʻano loea)
Basically, ʻo nā mea a pau āu e hana ai ʻo ke komo i ka laina kauoha (komo i ka mgmt) ma lalo o ka moʻokāki i hoʻohana ʻia i ka hoʻopili ʻana ma o SmartConsole (a i ʻole moʻokāki kumu). A laila hiki iā ʻoe ke komo Nā kauoha API (i kēia hihia ʻaʻole pono e hoʻohana i ka pono ma mua o kēlā me kēia kauoha mgmt_cli). Hiki iāʻoe ke hana i ka piha piha Nā palapala BASH. He laʻana o ka palapala a ka mea hoʻokipa i hana ai:
Palapala Bash
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
Inā makemake ʻoe, hiki iā ʻoe ke nānā i ke wikiō e pili ana:
3) Via SmartConsole ma ka wehe ʻana i ka pukaaniani CLI
ʻO nā mea a pau āu e hana ai, wehe i ka puka makani CLI pololei mai SmartConsole, e like me ka mea i hōʻike ʻia ma ke kiʻi ma lalo nei.
Ma kēia puka aniani, hiki iā ʻoe ke hoʻomaka koke e hoʻokomo i nā kauoha API.
4) Nā lawelawe pūnaewele. E hoʻohana i ka noi HTTPS Post (REST API)
I ko mākou manaʻo, ʻo kēia kekahi o nā ala hoʻohiki maikaʻi loa, no ka mea hiki iā ʻoe ke "kūkulu" i nā noi holoʻokoʻa ma muli o hoʻokele kikowaena hoʻokele (e kala mai no ka tautology). Ma lalo nei e nānā mākou i kēia ʻano hana ma kahi kikoʻī iki.
E hōʻuluʻulu:
- API + cli ʻoi aku ka maikaʻi no ka poʻe i maʻa iā Cisco;
- API + pūpū no ka noi ʻana i nā palapala a me ka hana ʻana i nā hana maʻamau;
- i koe API no ka automation.
E ho'ā ana i ka API
Ma ka maʻamau, hiki ke API i nā kikowaena hoʻokele me ka ʻoi aku o 4GB o RAM a me nā hoʻonohonoho kūʻokoʻa me ka ʻoi aku o 8GB o RAM. Hiki iā ʻoe ke nānā i ke kūlana me ke kauoha: kūlana api
Inā ʻike ʻia ka pio ʻole o ka api, a laila maʻalahi ke hiki iā ia ma o SmartConsole: Manage & Settings > Blades > Management API > Advanced Settings
A laila hoʻopuka (hoolaha) hoʻololi a holo i ke kauoha hoʻomaka hou ʻo api.
Nā noi pūnaewele + Python
No ka hoʻokō ʻana i nā kauoha API, hiki iā ʻoe ke hoʻohana i nā noi pūnaewele me ka hoʻohana ʻana Python a me nā hale waihona puke noi, json. Ma ka laulā, ʻekolu ʻāpana ke ʻano o kahi noi pūnaewele:
1) Heluhelu
(https://<managemenet server>:<port>/web_api/<command>)
2) Nā Poʻomanaʻo HTTP
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
3) Noi uku
He kikokikona i loko o ke ʻano JSON i loaʻa nā ʻāpana like ʻole
Laʻana no ke kāhea ʻana i nā kauoha like ʻole:
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == “”:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
Eia kekahi mau hana maʻamau āu e hālāwai pinepine ai i ka lawelawe ʻana i ka Check Point.
1) Ka laʻana o ka ʻae a me nā hana puka:
Palapala
payload = {‘user’: ‘your_user’, ‘password’ : ‘your_password’}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) E hoʻohuli ana i nā lau a hoʻonohonoho i ka pūnaewele:
Palapala
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
3) Ke hoʻololi nei i nā lula pā ahi:
Palapala
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
4) Hoʻohui i ka papa noi:
Palapala
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) Hoʻopuka a hoʻonohonoho i ke kulekele, e nānā i ka hoʻokō ʻana o ke kauoha (task-id):
Palapala
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) Hoʻohui i ka mea hoʻokipa:
Palapala
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
7) Hoʻohui i kahi kahua hoʻoweliweli:
Palapala
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
8) Nānā i ka papa inoa o nā kau
Palapala
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
9) E hana i kahi moʻolelo hou:
Palapala
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
10) E hoʻololi i ka hana no ka pūlima IPS:
Palapala
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) Hoʻohui i kāu lawelawe:
Palapala
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) Hoʻohui i kahi māhele, kahua a i ʻole hui:
Palapala
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
Eia hou, me ke kōkua Pūnaewele API hiki iā ʻoe ke hoʻohui a wehe i nā pūnaewele, nā mea hoʻokipa, nā kuleana komo, etc. Hiki ke hoʻopilikino ʻia nā lau Antivirus, Antibot, IPS, VPN. Hiki ke hoʻokomo i nā laikini me ke kauoha holo-palapala. Hiki ke loaʻa nā kauoha API Check Point āpau maanei .
API kiko kiko + kanaka leka
Maikaʻi nō hoʻi e hoʻohana API Pūnaewele Pūnaewele i hui pu me . Loaʻa iā Postman nā mana papapihi no Windows, Linux a me MacOS. Eia kekahi, aia kahi plugin no Google Chrome. ʻO kēia kā mākou e hoʻohana ai. Pono mua ʻoe e ʻimi iā Postman ma ka Google Chrome Store a hoʻokomo:
Ke hoʻohana nei i kēia pono, hiki iā mākou ke hana i nā noi pūnaewele i ka Check Point API. I ʻole e hoʻomanaʻo i nā kauoha API a pau, hiki iā ʻoe ke hoʻokomo i nā mea i kapa ʻia nā hōʻiliʻili (templates), i loaʻa i nā kauoha āpau e pono ai:
e loaa no ia oe ohi no ka mea, R80.10. Ma hope o ka lawe ʻana mai, e loaʻa iā mākou nā ʻōkuhi kauoha API:
I koʻu manaʻo, kūpono loa kēia. Hiki iā ʻoe ke hoʻomaka koke i ka hoʻomohala ʻana i nā noi me ka Check Point API.
Nānā Point + Ansible
Makemake au e hoʻomaopopo aia aia ʻO ke kūpono no CheckPoint API. Hāʻawi ka module iā ʻoe e hoʻokele i nā hoʻonohonoho, akā ʻaʻole maʻalahi ia no ka hoʻoponopono ʻana i nā pilikia exotic. ʻO ke kākau ʻana i nā palapala ma kekahi ʻōlelo hoʻolālā e hāʻawi i nā hopena maʻalahi a maʻalahi.
hopena
ʻO kēia kahi a mākou e hoʻopau ai i kā mākou loiloi pōkole o ka Check Point API. I koʻu manaʻo, ua kali lōʻihi kēia hiʻohiʻona a pono. ʻO ka puka ʻana o ka API e wehe i nā manawa ākea loa no nā luna ʻōnaehana a me nā mea hoʻohui pūnaewele e hana pū me nā huahana Check Point. Orchestration, automation, SIEM feedback... hiki i kēia manawa.
P.S. Nā ʻatikala hou aku e pili ana e like me nā manawa a pau e loaʻa iā ʻoe ma kā mākou blog a i ʻole ma ka blog ma .
P.S.S. No nā nīnau loea e pili ana i ka hoʻonohonoho ʻana i ka Check Point, hiki iā ʻoe
Hiki i nā mea hoʻohana i hoʻopaʻa inoa ʻia ke komo i ka noiʻi. , e 'oluʻolu.
Ke hoʻolālā nei ʻoe e hoʻohana i ka API?
-
70,6%ʻAe12
-
23,5%ʻAʻole4
-
5,9%Ke hoʻohana nei ʻo1
17 mea hoʻohana i koho. Ua hōʻole nā mea hoʻohana 3.
Source: www.habr.com