ืื ื ืืืื ืฉืื ืื ืฉืื ืคืขื ืขืื ืืืชื
"ื ืก" ืงืจื ืืืกืืช ืืืืจืื ื. ืขื ืืฆืืืช ืืืจืกื ืืืืฉื ืืืื R80 ืืืืจืื ืืืืืื ืืช ืฉืืืืฉ ื-API, ืื ืฉืคืืชื ืืืืื ืืืืช ืจืืืืช ืืืืืืืฆืื ืฉื ืืืืจืืช, ื ืืืื, ื ืืืืจ ืืื'. ืขืืฉืื ืืชื ืืืื:
- ืืืฆืืจ ืืคืฆืื;
- ืืืืกืืฃ ืื ืืขืจืื ืจืฉืืืืช ืืืฉื;
- ืืคืฉืจ/ืืฉืืช ืืืืื;
- ืืืืืืจ ืืืฉืงื ืจืฉืช;
- ืืชืงื ืช ืืืื ืืืช;
- ืืขืื ืืจืื ืืืชืจ.
ืืืขื ืืืืช, ืื ื ืื ืืืื ืืื ืืืืืขื ืืื ืขืืจื ืขื ืืื ืืืจ. ืืืืืจ ืื ื ืชืืจ ืืงืฆืจื ืืืฆื ืืืฉืชืืฉ ื-API ืื ืกืคืง ืืกืคืจ ืืืืืืืช ืืขืฉืืืช. ืืืืจืืช CheckPoint ืืืืฆืขืืช ืกืงืจืืคืืื.
ืื ื ืจืืฆื ืืืืืื ืืื ืฉื-API ืืฉืืฉ ืจืง ืขืืืจ ืฉืจืช ืื ืืืื. ืึธืึตื. ืขืืืื ืืืชื ืืคืฉืจื ืื ืื ืฉืขืจืื ืืื ืฉืจืช ื ืืืื.
ืื ืืืื ืืืฉืชืืฉ ื-API ืื ืืืืคื ืขืงืจืื ื?
- ืื ืืื ืืขืจืืช ืฉืจืืฆืื ืืคืฉื ืื ืืืคืื ืืฉืืืืช ืชืฆืืจื ืฉืืจืชืืืช ืฉื Check Point;
- ืืืจืืช ืฉืจืืฆืืช ืืฉืื ืืช ืฆ'ืง ืคืืื ื ืขื ืคืชืจืื ืืช ื ืืกืคืื (ืืขืจืืืช ืืืจืืืืืืืฆืื, ืืขืจืืืช ืืจืืืกืื, ืืขืจืืืช ื ืืืื ืชืฆืืจื ืืื');
- ืืฉืืื ืืขืจืืืช ืฉืจืืฆืื ืืชืงื ืืืืจืืช ืื ืืืฆืืจ ืืืฆืจืื ื ืืกืคืื ืืงืฉืืจืื ืืฆ'ืง ืคืืื ื.
ืกืืืื ืืืคืืื ืืช
ืื ืืืื ื ืืืืื ืชืื ืืช ืืืคืืกืืช ืขื ืฆ'ืง ืคืืื ื:
ืืจืืื ืืฉ ืื ื ืฉืขืจ (SG), ืฉืจืช ื ืืืื (SMS) ืืืกืืฃ ืื ืืืื (SmartConsole). ืืืงืจื ืื, ืชืืืื ืชืฆืืจืช ืืฉืขืจ ืืจืืื ื ืจืื ืื:
ืึธืึตื. ืจืืฉืืช ืขืืื ืืืคืขืื ืืืืฉื ืืื ืื SmartConsole, ืฉืืืชื ืื ื ืืชืืืจืื ืืฉืจืช ืื ืืืื (SMS). ืืืืจืืช ืืืืืื ื ืขืฉืืช ื-SMS, ืืจืง ืืืืจ ืืื ืืืืฉืืืช (ืืืื ืืืช ืืชืงื ื) ืืฉืขืจ (SG).
ืืขืช ืฉืืืืฉ ื ืืืื API, ืื ืื ื ืืืืืื ืืขืฆื ืืืื ืขื ืื ืงืืื ืืจืืฉืื ื (ืืืคืขืื ืืช SmartConsole) ืืืืฉืชืืฉ ืคืงืืืืช API ืืฉืืจืืช ืืฉืจืช ืื ืืืื (SMS).
ืืจืืื ืืืฉืชืืฉ ื-API
ืืฉื ื ืืจืืข ืืจืืื ืขืืงืจืืืช ืืขืจืื ืืช ืืชืฆืืจื ืืืืฆืขืืช ื-API:
1) ืฉืืืืฉ ืืืื ืืฉืืจืืช mgmt_cli
ืืืืื - # mgmt_cli ืืืกืฃ ืฉื ืืืจื host1 IP-address 192.168.2.100
ืคืงืืื ืื ืืืคืขืืช ืืฉืืจืช ืืคืงืืื ืฉื ืฉืจืช ืื ืืืื (SMS). ืื ื ืืืฉื ืฉืืชืืืืจ ืฉื ืืคืงืืื ืืจืืจ - host1 ื ืืฆืจ ืขื ืืืชืืืช 192.168.2.100.
2) ืืื ืคืงืืืืช API ืืจื clish (ืืืฆื ืืืืื)
ืืขืืงืจืื, ืื ืื ืฉืืชื ืฆืจืื ืืขืฉืืช ืืื ืืืืื ืก ืืฉืืจืช ืืคืงืืื (ืืชืืืจืืช ืฉื mgmt) ืชืืช ืืืฉืืื ืืืฉืืฉ ืืขืช ืืืืืจ ืืืืฆืขืืช SmartConsole (ืื ืืฉืืื ืฉืืจืฉ). ืื ืืชื ืืืื ืืืืื ืก ืคืงืืืืช API (ืืืงืจื ืื ืืื ืฆืืจื ืืืฉืชืืฉ ืืืื ืืฉืืจืืช ืืคื ื ืื ืคืงืืื mgmt_cli). ืืชื ืืืื ืืืฆืืจ ืื ืืื ืืื ืชืกืจืืื BASH. ืืืืื ืืกืงืจืืคื ืฉืืืืจื ืืืฆืจ:
ืชืกืจืื bash
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
ืื ืืชื ืืขืื ืืื, ืืชื ืืืื ืืฆืคืืช ืืกืจืืื ืืืชืืื:
3) ืืจื SmartConsole ืขื ืืื ืคืชืืืช ืืืื CLI
ืื ืื ืฉืืชื ืฆืจืื ืืขืฉืืช ืื ืืคืชืื ืืช ืืืืื CLI ืืฉืจ ื SmartConsole, ืืคื ืฉืืืฆื ืืชืืื ื ืืืื.
ืืืืื ืื, ืืชื ืืืื ืืืชืืื ืืื ืืืืื ืคืงืืืืช API.
4) ืฉืืจืืชื ืืื ืืจื ื. ืืฉืชืืฉ ืืืงืฉืช ืคืืกื ื-HTTPS (REST API)
ืืืขืชื ื, ืื ืืืช ืืฉืืืืช ืืืืืืืืช ืืืืชืจ, ืื ืืืคืฉืจ ืื "ืืื ืืช" ืืืฉืืืื ืฉืืืื ืขื ืืกืืก ื ืืืื ืฉืจืช ื ืืืื (ืกืืืื ืขื ืืืืืืืืืืื). ืืืื ื ืกืชืื ืขื ืฉืืื ืื ืืคืืจืื ืงืื ืืืชืจ.
ืืกืื:
- API + cli ืืชืืื ืืืชืจ ืืื ืฉืื ืฉืจืืืืื ืืกืืกืงื;
- API + ืืขืืคืช ืืืืฉืื ืชืกืจืืืื ืืืืฆืืข ืืฉืืืืช ืฉืืจืชืืืช;
- REST API ืืืืืืืฆืื.
ืืคืขืืช ื-API
ืืืจืืจืช ืืืื, ื-API ืืืคืขื ืืฉืจืชื ื ืืืื ืขื ืืืชืจ ื-4GB RAM ืืชืฆืืจืืช ืขืฆืืืืืช ืขื ืืืชืจ ื-8GB ืฉื RAM. ืืชื ืืืื ืืืืืง ืืช ืืืฆื ืืืืฆืขืืช ืืคืงืืื: ืกืืืืก API
ืื ืืชืืจืจ ืฉื-API ืืืฉืืช, ืื ืื ืงื ืืืคืขืื ืืืชื ืืจื SmartConsole: ื ืืืื ืืืืืจืืช > ืืืืื > ืืืฉืง API ืื ืืืื > ืืืืจืืช ืืชืงืืืืช
ืืืืจ ืืื ืคืจืกื (ืืคืจืกื) ืืฉืชื ื ืืืคืขื ืืช ืืคืงืืื ืืคืขืื ืืืืฉ ืฉื ื-API.
ืืงืฉืืช ืืื ืืจื ื + Python
ืืื ืืืฆืข ืคืงืืืืช API, ืืชื ืืืื ืืืฉืชืืฉ ืืืงืฉืืช ืืื ืืจื ื ืืืืฆืขืืช ืคืืชืื ืืกืคืจืืืช ืืงืฉืืช, ื'ืกืื. ืืืืคื ืืืื, ืืืื ื ืฉื ืืงืฉืช ืืื ืืจื ื ืืืจืื ืืฉืืืฉื ืืืงืื:
1) ืืชืืืช
(https://<managemenet server>:<port>/web_api/<command>)
2) ืืืชืจืืช HTTP
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
3) ืืงืฉ ืืืขื
ืืงืกื ืืคืืจืื JSON ืืืืื ืืช ืืคืจืืืจืื ืืฉืื ืื
ืืืืื ืืงืจืืื ืืคืงืืืืช ืฉืื ืืช:
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == โโ:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
ืื ื ืืื ืืฉืืืืช ืืืคืืกืืืช ืฉืืื ืืชื ื ืชืงื ืืจืื ืืขืช ื ืืืื ืฆ'ืง ืคืืื ื.
1) ืืืืื ืืคืื ืงืฆืืืช ืืจืฉืื ืืืฆืืื:
ืชึทืกืจึดืื
payload = {โuserโ: โyour_userโ, โpasswordโ : โyour_passwordโ}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) ืืคืขืืช ืืืืืื ืืืืืจืช ืืจืฉืช:
ืชึทืกืจึดืื
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
3) ืฉืื ืื ืืืื ืืืืช ืืืฉ:
ืชึทืกืจึดืื
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
4) ืืืกืคืช ืฉืืืช ืืืฉืื:
ืชึทืกืจึดืื
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) ืคืจืกื ืืืืืจ ืืช ืืืืื ืืืช, ืืืืง ืืช ืืืฆืืข ืืคืงืืื (ืืืื ืืฉืืื):
ืชึทืกืจึดืื
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) ืืืกืฃ ืืืจื:
ืชึทืกืจึดืื
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
7) ืืืกืฃ ืฉืื ืืื ืืขืช ืืืืืื:
ืชึทืกืจึดืื
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
8) ืืฆื ืืช ืจืฉืืืช ืืืคืืฉืื
ืชึทืกืจึดืื
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
9) ืฆืืจ ืคืจืืคืื ืืืฉ:
ืชึทืกืจึดืื
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
10) ืฉื ื ืืช ืืคืขืืื ืขืืืจ ืืชืืืช IPS:
ืชึทืกืจึดืื
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) ืืืกืฃ ืืช ืืฉืืจืืช ืฉืื:
ืชึทืกืจึดืื
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) ืืืกืฃ ืงืืืืจืื, ืืชืจ ืื ืงืืืฆื:
ืชึทืกืจึดืื
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
ืื ืืกืฃ, ืืขืืจืช ืืขืืจื ืืืฉืง API ืืชื ืืืื ืืืืกืืฃ ืืืืกืืจ ืจืฉืชืืช, ืืืจืืื, ืชืคืงืืื ืืืฉื ืืื'. ืืืืื ื ืืชื ืืืชืืื ืืืฉืืช ืื ืื ืืืจืืก, ืื ืืืืื, IPS, VPN. ืืคืฉืจ ืืคืืื ืืืชืงืื ืจืืฉืืื ืืช ืืืืฆืขืืช ืืคืงืืื ืจืืฆื ืกืงืจืืคื. ื ืืชื ืืืฆืื ืืช ืื ืืคืงืืืืช ืฉื Check Point API ืืื
ืฆ'ืง ืคืืื ื API + Postman
ืื ื ืื ืืฉืืืืฉ ืฆ'ืง ืคืืื ื ืืื ืืจื ื API ืืฉืืชืืฃ ืขื
ืืืืฆืขืืช ืืื ืื, ื ืืื ืืืฆืืจ ืืงืฉืืช ืืื ืืจื ื ื-Check Point API. ืืื ืื ืืืืืจ ืืช ืื ืคืงืืืืช ื-API, ืืคืฉืจ ืืืืื ืื ืฉื ืงืจื ืงืืืงืฆืืืช (ืชืื ืืืช), ืฉืืืจ ืืืืืืช ืืช ืื ืืคืงืืืืช ืืืจืืฉืืช:
ืืืขืชื ืื ืืืื ื ืื. ืืชื ืืืื ืืืชืืื ืืืืืจืืช ืืคืชื ืืืฉืืืื ืืืืฆืขืืช ืฆ'ืง ืคืืื ื API.
Check Point + Ansible
ืื ื ืื ืจืืฆื ืืฆืืื ืฉืืฉ ืืืชื ืืคืฉืจื
ืคืื
ะะฐ ััะพะผ ะฟะพะถะฐะปัะน ะผั ะทะฐะบะพะฝัะธะผ ะฝะฐั ะฝะตะฑะพะปััะพะน ะพะฑะทะพั Check Point API. ะะฐ ะผะพะน ะฒะทะณะปัะด ััะฐ ััะฝะบัะธั ะฑัะปะฐ ะพัะตะฝั ะดะพะปะณะพะถะดะฐะฝะฝะพะน ะธ ะฝะตะพะฑั ะพะดะธะผะพะน. ะะพัะฒะปะตะฝะธะต API ะพัะบััะฒะฐะตั ะพัะตะฝั ัะธัะพะบะธะต ะฒะพะทะผะพะถะฝะพััะธ ะบะฐะบ ะดะปั ัะธััะตะผะฝัั ะฐะดะผะธะฝะธัััะฐัะพัะพะฒ, ัะฐะบ ะธ ะดะปั ัะธััะตะผะฝัั ะธะฝัะตะณัะฐัะพัะพะฒ, ะบะพัะพััะต ัะฐะฑะพัะฐัั ั ะฟัะพะดัะบัะฐะผะธ Check Point. ะัะบะตัััะฐัะธั, ะฐะฒัะพะผะฐัะธะทะฐัะธั, ะพะฑัะฐัะฝะฐั ัะฒัะทั ั SIEMโฆ ะฒัะต ััะพ ัะตะฟะตัั ะฒะพะทะผะพะถะฝะพ.
ื .ื ืืืืจืื ื ืืกืคืื ืขื
PSS ืืฉืืืืช ืืื ืืืช ืืงืฉืืจืืช ืืืืืจืช ืฆ'ืง ืคืืื ื, ืชืืื
ืจืง ืืฉืชืืฉืื ืจืฉืืืื ืืืืืื ืืืฉืชืชืฃ ืืกืงืจ.
ืืื ืืชื ืืชืื ื ืืืฉืชืืฉ ื-API?
-
70,6%ืื12
-
23,5%ืืกืคืจ 4
-
5,9%ืืืจ ืืฉืชืืฉ ื1
17 ืืฉืชืืฉืื ืืฆืืืขื. 3 ืืฉืชืืฉืื ื ืื ืขื.
ืืงืืจ: www.habr.com