ãããŸã§äžç·ã«ä»äºãããããšã®ãã人ã¯çããã£ãš
æ¯èŒçæè¿ããå¥è·¡ããèµ·ãããŸããã æ°ããŒãžã§ã³ã®ãªãªãŒã¹ã«äŒŽãã ã¬ã€ã¢ R80 æ©äŒãçºè¡šãããŸãã APIã®äœ¿çšæ³ãèšå®ã管çãç£èŠãªã©ãèªååããå¹ åºãæ©äŒãéãããŸãã 次ã®ããšãã§ããããã«ãªããŸããã
- ãªããžã§ã¯ããäœæããã
- ã¢ã¯ã»ã¹ãªã¹ããè¿œå ãŸãã¯ç·šéããŸãã
- ãã¬ãŒããæå¹/ç¡å¹ã«ããŸãã
- ãããã¯ãŒã¯ã€ã³ã¿ãŒãã§ãŒã¹ãæ§æããŸãã
- ããªã·ãŒãã€ã³ã¹ããŒã«ããŸãã
- ОЌМПгПеЎÑÑгПеã
æ£çŽã«èšããšããã®ãã¥ãŒã¹ãã©ã®ããã«ããŠããã«æ°ã«äŒãã£ãã®ãç解ã§ããŸããã ãã®èšäºã§ã¯ãAPI ã®äœ¿çšæ¹æ³ãç°¡åã«èª¬æããããã€ãã®å®çšçãªäŸã瀺ããŸãã ã¹ã¯ãªããã䜿çšããCheckPointèšå®.
管çãµãŒããŒã®ã¿ã«APIã䜿çšããããšãããã«äºçŽããããšæããŸãã ãããã®ã 管çãµãŒããŒãªãã§ã²ãŒããŠã§ã€ã管çããããšã¯äŸç¶ãšããŠäžå¯èœã§ãã
ãã®APIã¯ååçã«èª°ãå©çšã§ããã®ã§ããããïŒ
- Check Point ã®æ¥åžžçãªæ§æã¿ã¹ã¯ãç°¡çŽ åãŸãã¯èªååãããã·ã¹ãã 管çè ã
- Check Point ãä»ã®ãœãªã¥ãŒã·ã§ã³ (ä»®æ³åã·ã¹ãã ããã±ãã ã·ã¹ãã ãæ§æ管çã·ã¹ãã ãªã©) ãšçµ±åãããäŒæ¥ã
- èšå®ãæšæºåããããCheck Point ã«é¢é£ããè¿œå 補åãäœæãããã·ã¹ãã ã€ã³ãã°ã¬ãŒã¿ã
å žåçãªã¹ããŒã
ããã§ã¯ãCheck Point ã䜿çšããå žåçãªã¹ããŒã ãæ³åããŠã¿ãŸãããã
ãã€ãã®ããã«ãã²ãŒããŠã§ã€ããããŸã (SG)ã管çãµãŒããŒ(SMS) ããã³ç®¡çã³ã³ãœãŒã« (ã¹ããŒãã³ã³ãœãŒã«ïŒã ãã®å Žåãéåžžã®ã²ãŒããŠã§ã€æ§æããã»ã¹ã¯æ¬¡ã®ããã«ãªããŸãã
ãããã®ã ãŸã管çè
ã®ã³ã³ãã¥ãŒã¿ã§å®è¡ããå¿
èŠããããŸã ã¹ããŒãã³ã³ãœãŒã«ãããã䜿çšããŠç®¡çãµãŒããŒã«æ¥ç¶ããŸã (SMSïŒã ã»ãã¥ãªãã£èšå®ã¯ SMS äžã§è¡ããããã®åŸã«ã®ã¿é©çšãããŸã (ã€ã³ã¹ããŒã«ããªã·ãŒ) ããã²ãŒããŠã§ã€ (SG).
䜿çšããŠããå Žå 管çAPIãåºæ¬çã«æåã®ãã€ã³ã (SmartConsole ã®èµ·å) ãã¹ãããããŠã次ã䜿çšã§ããŸãã APIã³ãã³ã 管çãµãŒã㌠(SMS) ã«çŽæ¥éä¿¡ããŸãã
APIã®äœ¿çšæ¹æ³
API ã䜿çšããŠæ§æãç·šéããã«ã¯ã䞻㫠XNUMX ã€ã®æ¹æ³ããããŸãã
1) mgmt_cli ãŠãŒãã£ãªãã£ã®äœ¿çš
äŸ - # mgmt_cli ãã¹ãå host1 ip ã¢ãã¬ã¹ 192.168.2.100 ãè¿œå
ãã®ã³ãã³ãã¯ã管çãµãŒã㌠(SMS) ã³ãã³ã ã©ã€ã³ããå®è¡ãããŸãã ã³ãã³ãã®æ§æã¯æããã ãšæããŸããhost1 ã¯ã¢ãã¬ã¹ 192.168.2.100 ã§äœæãããŸãã
2) clish çµç±ã§ API ã³ãã³ããå ¥åããŸã (ãšãã¹ããŒã ã¢ãŒã)
åºæ¬çã«ãå¿ èŠãªã®ã¯ã³ãã³ãã©ã€ã³ã«ãã°ã€ã³ããããšã ãã§ã(管çãã°ã€ã³) SmartConsole (ãŸã㯠root ã¢ã«ãŠã³ã) çµç±ã§æ¥ç¶ãããšãã«äœ¿çšãããã¢ã«ãŠã³ãã®äžã«ãããŸãã ãã®åŸãå ¥åã§ããŸã APIã³ãã³ã (ãã®å Žåãåã³ãã³ãã®åã«ãŠãŒãã£ãªãã£ã䜿çšããå¿ èŠã¯ãããŸããã mgmt_cliïŒã æ¬æ Œçãªãã®ãäœããŸã BASH ã¹ã¯ãªããã ãã¹ããäœæããã¹ã¯ãªããã®äŸ:
bash ã¹ã¯ãªãã
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
ãèå³ãããããŸãããã察å¿ãããããªãã芧ãã ããã
3) CLI ãŠã£ã³ããŠãéã㊠SmartConsole çµç±
ããªããããªããã°ãªããªãã®ã¯çªãéããããšã ãã§ã CLI ãããŸã£ãã ã¹ããŒãã³ã³ãœãŒã«ãäžã®å³ã«ç€ºãããã«ã
ãã®ãŠã£ã³ããŠã§ã¯ãããã« API ã³ãã³ãã®å
¥åãéå§ã§ããŸãã
4) ãŠã§ããµãŒãã¹ã HTTPS Postãªã¯ãšã¹ãïŒREST APIïŒã䜿çšãã
ç§ãã¡ã®æèŠã§ã¯ãããã¯æãææãªæ¹æ³ã® XNUMX ã€ã§ãã ã«åºã¥ããŠã¢ããªã±ãŒã·ã§ã³å šäœããæ§ç¯ãã§ããŸãã 管çãµãŒããŒã®ç®¡ç ïŒåèªå埩ã§ãã¿ãŸããïŒã 以äžã§ã¯ããã®æ¹æ³ãããå°ã詳ããèŠãŠãããŸãã
èŠçŽããïŒ
- API + CLI ã·ã¹ã³ã«æ £ããŠãã人ã«é©ããŠããŸãã
- API + ã·ã§ã« ã¹ã¯ãªãããé©çšããæ¥åžžçãªã¿ã¹ã¯ãå®è¡ããããã
- REST API èªååã®ããã«ã
APIã®æå¹å
ããã©ã«ãã§ã¯ãAPI 㯠4GB ãè¶ ãã RAM ãæèŒãã管çãµãŒããŒããã³ 8GB ãè¶ ãã RAM ãæèŒããã¹ã¿ã³ãã¢ãã³æ§æã§æå¹ã«ãªããŸãã 次ã®ã³ãã³ãã䜿çšããŠã¹ããŒã¿ã¹ã確èªã§ããŸãã APIã¹ããŒã¿ã¹
API ãç¡å¹ã«ãªã£ãŠããããšãå€æããå Žåã¯ãSmartConsole ã䜿çšããŠéåžžã«ç°¡åã«æå¹ã«ããããšãã§ããŸãã [管çãšèšå®] > [ãã¬ãŒã] > [管ç API] > [詳现èšå®]
ãã®åŸãå
¬éããŸã (ãããªãã·ã¥) ãå€æŽããŠã³ãã³ããå®è¡ããŸã API ã®åèµ·å.
Web ãªã¯ãšã¹ã + Python
API ã³ãã³ããå®è¡ããã«ã¯ã次㮠Web ãªã¯ãšã¹ãã䜿çšã§ããŸãã Python ãšå³æžé€š ãªã¯ãšã¹ã, JSONã äžè¬ã«ãWeb ãªã¯ãšã¹ãã®æ§é ã¯æ¬¡ã® XNUMX ã€ã®éšåã§æ§æãããŸãã
1)äœæ
(https://<managemenet server>:<port>/web_api/<command>)
2) HTTPããããŒ
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
3) ãªã¯ãšã¹ããã€ããŒã
ããŸããŸãªãã©ã¡ãŒã¿ãå«ã JSON 圢åŒã®ããã¹ã
ããŸããŸãªã³ãã³ããåŒã³åºãäŸ:
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == ââ:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
ããã§ã¯ãCheck Point ã管çãããšãã«æãé »ç¹ã«çºçããå žåçãªã¿ã¹ã¯ãããã€ã瀺ããŸãã
1) èªå¯ããã³ãã°ã¢ãŠãæ©èœã®äŸ:
ã¹ã¯ãªãã
payload = {âuserâ: âyour_userâ, âpasswordâ : âyour_passwordâ}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) ãã¬ãŒãã®é»æºãå ¥ããŠãããã¯ãŒã¯ãèšå®ããŸãã
ã¹ã¯ãªãã
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
3) ãã¡ã€ã¢ãŠã©ãŒã« ã«ãŒã«ã®å€æŽ:
ã¹ã¯ãªãã
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
4) ã¢ããªã±ãŒã·ã§ã³å±€ã®è¿œå :
ã¹ã¯ãªãã
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) ããªã·ãŒãå ¬éããŠèšå®ããã³ãã³ã (ã¿ã¹ã¯ ID) ã®å®è¡ã確èªããŸãã
ã¹ã¯ãªãã
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) ãã¹ããè¿œå ããŸãã
ã¹ã¯ãªãã
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
7) ãè åšå¯Ÿçããã£ãŒã«ããè¿œå ããŸãã
ã¹ã¯ãªãã
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
8) ã»ãã·ã§ã³ã®ãªã¹ãã衚瀺ãã
ã¹ã¯ãªãã
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
9) æ°ãããããã¡ã€ã«ãäœæããŸãã
ã¹ã¯ãªãã
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
10) IPS 眲åã®ã¢ã¯ã·ã§ã³ãå€æŽããŸãã
ã¹ã¯ãªãã
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) ãµãŒãã¹ãè¿œå ããŸãã
ã¹ã¯ãªãã
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) ã«ããŽãªããµã€ãããŸãã¯ã°ã«ãŒããè¿œå ããŸãã
ã¹ã¯ãªãã
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
ããã«ããååã®ããšã Web API ãããã¯ãŒã¯ããã¹ããã¢ã¯ã»ã¹åœ¹å²ãªã©ãè¿œå ããã³åé€ã§ããŸãã ãã¬ãŒãã¯ã«ã¹ã¿ãã€ãºå¯èœ ãŠã€ã«ã¹å¯Ÿçãã¢ã³ãããããIPSãVPNã ã³ãã³ãã䜿çšããŠã©ã€ã»ã³ã¹ãã€ã³ã¹ããŒã«ããããšãã§ããŸãã å®è¡ã¹ã¯ãªããã ãã¹ãŠã® Check Point API ã³ãã³ãã¯ããã«ãããŸã
ãã§ãã¯ã»ãã€ã³ã API + ãã¹ããã³
䜿ãæ¹ãäŸ¿å© ãã§ãã¯ã»ãã€ã³ã Web API ãšçµã¿åãããŠ
ãã®ãŠãŒãã£ãªãã£ã䜿çšãããšãCheck Point API ãžã® Web ãªã¯ãšã¹ããçæã§ããããã«ãªããŸãã ãã¹ãŠã® API ã³ãã³ããèŠããªãããã«ããããã«ãå¿
èŠãªãã¹ãŠã®ã³ãã³ãããã§ã«å«ãŸããŠãããããããã³ã¬ã¯ã·ã§ã³ (ãã³ãã¬ãŒã) ãã€ã³ããŒãããããšãã§ããŸãã
ç§ã®æèŠã§ã¯ãããã¯éåžžã«äŸ¿å©ã§ãã Check Point API ã䜿çšããŠã¢ããªã±ãŒã·ã§ã³ã®éçºãããã«éå§ã§ããŸãã
ãã§ãã¯ãã€ã³ã + Ansible
ããããšã«ãçæãããã Ansible
åºå
ããã§ãCheck Point API ã®ç°¡åãªã¬ãã¥ãŒãçµäºããããšã«ãªããŸãã ç§ã®æèŠã§ã¯ããã®æ©èœã¯éåžžã«åŸ æãããŠãããå¿ èŠãªãã®ã§ããã API ã®ç»å Žã«ãããCheck Point 補åãæ±ãã·ã¹ãã 管çè ãšã·ã¹ãã ã€ã³ãã°ã¬ãŒã¿ã®äž¡æ¹ã«éåžžã«å¹ åºãæ©äŒãéãããŸãã ãªãŒã±ã¹ãã¬ãŒã·ã§ã³ãèªååãSIEM ãã£ãŒãããã¯...ãã¹ãŠãå¯èœã«ãªããŸããã
PS ã«é¢ãããã®ä»ã®èšäº
PSS Check Point ã®ã»ããã¢ããã«é¢ããæè¡çãªè³ªåã«ã€ããŠã¯ã次ã®åãåããå
ãåç
§ããŠãã ããã
ç»é²ãŠãŒã¶ãŒã®ã¿ãã¢ã³ã±ãŒãã«åå ã§ããŸãã
API ã䜿çšããäºå®ã¯ãããŸãã?
-
èŠèŽè ã®ïŒïŒ%ãã¯ã12
-
èŠèŽè ã®ïŒïŒ%ãNo4
-
èŠèŽè ã®ïŒïŒ%ããã§ã«äœ¿çšããŠããŸã1
17 人ã®ãŠãŒã¶ãŒãæ祚ããŸããã 3åã®ãŠãŒã¶ãŒãæ£æš©ããã
åºæïŒ habr.com