API ãšã®å¯Ÿè©±ã®èœåãæ倧éã«çºæ®ããã«ã¯ãããã°ã©ã ã³ãŒããšçµã¿åãããŠäœ¿çšââããAPI ãªã¯ãšã¹ããš API ã¬ã¹ãã³ã¹ãåæããããŒã«ãåçã«çæããããšãå¯èœã«ãªããŸãã ãã ãããŸã ç®ç«ããªããŸãŸã§ã Python ãœãããŠã§ã¢éçºããã (以äžãPython SDKãšåŒã³ãŸã) ãã§ãã¯ã»ãã€ã³ã管ç APIããããç¡é§ã§ããã ããã«ãããéçºè
ãèªååæ奜家ã®äœæ¥ã倧å¹
ã«ç°¡çŽ åãããŸãã Python ã¯æè¿éåžžã«äººæ°ãé«ãŸã£ãŠããã®ã§ããã®ã®ã£ãããåããŠäž»ãªæ©èœã確èªããããšã«ããŸããã
Check Point 㯠API ã®éçºãç©æ¥µçã«è¡ã£ãŠãããçŸæç¹ã§ã¯æ¬¡ã®ãã®ããªãªãŒã¹ãããŠããŸãã
ãã§ãã¯ã»ãã€ã³ã管ç API (çŸåšã®ããŒãžã§ã³ 1.6) â API çµç±ã§ã³ã³ãããŒã« ãµãŒããŒãšé£æºããŸã (ããã³ã³ã³ãããŒã« ãµãŒããŒã«ãã£ãŠå¶åŸ¡ãããã²ãŒããŠã§ã€äžã§ã¹ã¯ãªãããå®è¡ããæ©èœ)Check Point GAIA API (çŸåšã®ããŒãžã§ã³ 1.4) â ã»ãã¥ãªãã£ã²ãŒããŠã§ã€ãšé£æºããè åšé²åŸ¡ API 1.0 â Check Point ã¯ã©ãŠãã®ãµã³ãããã¯ã¹ã䜿çšããŠäœæ¥ããã¢ã€ãã³ãã£ãã£èªè API â ã²ãŒããŠã§ã€äžã§ Identity Awareness ãã¬ãŒãã䜿çšããã»ãã¥ãªãã£ç®¡çããŒã¿ã« API â SMB ã²ãŒããŠã§ã€ç®¡çããŒã¿ã«ãšé£æºããŸã (SMB ã²ãŒããŠã§ã€ã®è©³çŽ° )IoT API â IoT ã³ã³ãããŒã©ãŒãšã®å¯Ÿè©±CloudGuard Connect API - ãšé£æºã¯ã©ãŠãã¬ãŒãã³ãã¯ã ïŒSD-WANã»ãã¥ãªãã£ãœãªã¥ãŒã·ã§ã³ïŒDome9 API - ãšé£æºDome9
Python SDK ã¯çŸåšãManagement API ãšã®å¯Ÿè©±ã®ã¿ããµããŒãããŠããã ã¬ã€ã¢APIã ãã®ã¢ãžã¥ãŒã«ã§ã¯æãéèŠãªã¯ã©ã¹ãã¡ãœãããå€æ°ãèŠãŠãããŸãã
ã¢ãžã¥ãŒã«ã®ã€ã³ã¹ããŒã«
ã¢ãžã¥ãŒã« ã¡ã±ãŽ ããçŽ æ©ãç°¡åã«ã€ã³ã¹ããŒã«ã§ããŸã
ã¯ããã«
cpapi ã¢ãžã¥ãŒã«ã®ã³ã³ããŒãã³ããæäœã§ããããã«ããã«ã¯ãã¢ãžã¥ãŒã«ããã€ã³ããŒãããå¿ èŠããããŸãã ã¡ã±ãŽ å°ãªããšã XNUMX ã€ã®å¿ é ã¯ã©ã¹:
APIã¯ã©ã€ã¢ã³ã О APIClientArgs
from cpapi import APIClient, APIClientArgs
ã¯ã©ã¹ APIClientArgs API ãµãŒããŒãžã®æ¥ç¶ãã©ã¡ãŒã¿ãšã¯ã©ã¹ãæ åœããŸãã APIã¯ã©ã€ã¢ã³ã API ãšã®å¯Ÿè©±ãæ åœããŸãã
æ¥ç¶ãã©ã¡ãŒã¿ã®æ±ºå®
API ã«æ¥ç¶ããããã®ããŸããŸãªãã©ã¡ãŒã¿ãŒãå®çŸ©ããã«ã¯ãã¯ã©ã¹ã®ã€ã³ã¹ã¿ã³ã¹ãäœæããå¿ èŠããããŸãã APIClientArgsã ååãšããŠããã®ãã©ã¡ãŒã¿ã¯äºåââã«å®çŸ©ãããŠãããå¶åŸ¡ãµãŒããŒã§ã¹ã¯ãªãããå®è¡ããå Žåã¯æå®ããå¿ èŠã¯ãããŸããã
client_args = APIClientArgs()
ãã ãããµãŒãããŒãã£ã®ãã¹ãã§å®è¡ããå Žåã¯ãå°ãªããšã API ãµãŒã㌠(管çãµãŒããŒãšãåŒã°ããŸã) ã® IP ã¢ãã¬ã¹ãŸãã¯ãã¹ãåãæå®ããå¿ èŠããããŸãã 以äžã®äŸã§ã¯ããµãŒããŒæ¥ç¶ãã©ã¡ãŒã¿ãŒãå®çŸ©ãã管çãµãŒããŒã® IP ã¢ãã¬ã¹ãæååãšããŠå²ãåœãŠãŸãã
client_args = APIClientArgs(server='192.168.47.241')
API ãµãŒããŒã«æ¥ç¶ãããšãã«äœ¿çšã§ãããã¹ãŠã®ãã©ã¡ãŒã¿ãŒãšãã®ããã©ã«ãå€ãèŠãŠã¿ãŸãããã
APIClientArgs ã¯ã©ã¹ã® __init__ ã¡ãœããã®åŒæ°
class APIClientArgs:
"""
This class provides arguments for APIClient configuration.
All the arguments are configured with their default values.
"""
# port is set to None by default, but it gets replaced with 443 if not specified
# context possible values - web_api (default) or gaia_api
def __init__(self, port=None, fingerprint=None, sid=None, server="127.0.0.1", http_debug_level=0,
api_calls=None, debug_file="", proxy_host=None, proxy_port=8080,
api_version=None, unsafe=False, unsafe_auto_accept=False, context="web_api"):
self.port = port
# management server fingerprint
self.fingerprint = fingerprint
# session-id.
self.sid = sid
# management server name or IP-address
self.server = server
# debug level
self.http_debug_level = http_debug_level
# an array with all the api calls (for debug purposes)
self.api_calls = api_calls if api_calls else []
# name of debug file. If left empty, debug data will not be saved to disk.
self.debug_file = debug_file
# HTTP proxy server address (without "http://")
self.proxy_host = proxy_host
# HTTP proxy port
self.proxy_port = proxy_port
# Management server's API version
self.api_version = api_version
# Indicates that the client should not check the server's certificate
self.unsafe = unsafe
# Indicates that the client should automatically accept and save the server's certificate
self.unsafe_auto_accept = unsafe_auto_accept
# The context of using the client - defaults to web_api
self.context = context
APIClientArgs ã¯ã©ã¹ã®ã€ã³ã¹ã¿ã³ã¹ã§äœ¿çšã§ããåŒæ°ã¯ãCheck Point 管çè ã«ãšã£ãŠçŽæçã§ãããè¿œå ã®ã³ã¡ã³ãã¯å¿ èŠãªããšæããŸãã
APIClient ãšã³ã³ããã¹ã ãããŒãžã£ãŒãä»ããæ¥ç¶
ã¯ã©ã¹ APIã¯ã©ã€ã¢ã³ã æã䟿å©ãªäœ¿çšæ¹æ³ã¯ãã³ã³ããã¹ã ãããŒãžã£ãŒã䜿çšããããšã§ãã APIClient ã¯ã©ã¹ã®ã€ã³ã¹ã¿ã³ã¹ã«æž¡ãå¿ èŠãããã®ã¯ãåã®æé ã§å®çŸ©ããæ¥ç¶ãã©ã¡ãŒã¿ãŒã ãã§ãã
with APIClient(client_args) as client:
ã³ã³ããã¹ã ãããŒãžã£ãŒã¯ãAPI ãµãŒããŒãžã®ãã°ã€ã³åŒã³åºããèªåçã«è¡ããŸããããAPI ãµãŒããŒãçµäºãããšãã«ãã°ã¢ãŠãåŒã³åºããè¡ããŸãã äœããã®çç±ã§ API åŒã³åºãã®äœæ¥ãçµäºããåŸã«ãã°ã¢ãŠããå¿ èŠãªãå Žåã¯ãã³ã³ããã¹ã ãããŒãžã£ãŒã䜿çšããã«äœæ¥ãéå§ããå¿ èŠããããŸãã
client = APIClient(clieng_args)
æ¥ç¶ãã¹ã
æ¥ç¶ãæå®ããããã©ã¡ãŒã¿ãæºãããŠãããã©ããã確èªããæãç°¡åãªæ¹æ³ã¯ãã¡ãœããã䜿çšããããšã§ãã æçŽãã§ãã¯ã ãµãŒã㌠API 蚌ææžã®ãã£ã³ã¬ãŒããªã³ãã® sha1 ããã·ã¥åã®æ€èšŒã倱æããå Žå (ã¡ãœãããè¿ããå Žå) Ã)ããã®å Žåãããã¯éåžžãæ¥ç¶ã®åé¡ãåå ã§ãããããã°ã©ã ã®å®è¡ãåæ¢ã§ããŸã (ãŸãã¯ããŠãŒã¶ãŒã«æ¥ç¶ããŒã¿ãä¿®æ£ããæ©äŒãäžããŸã)ã
if client.check_fingerprint() is False:
print("Could not get the server's fingerprint - Check connectivity with the server.")
exit(1)
ä»åŸã®ã¯ã©ã¹ã§ã¯ã泚æãã ãã APIã¯ã©ã€ã¢ã³ã ãã¹ãŠã® API åŒã³åºã (ã¡ãœãã) ããã§ãã¯ããŸãã api_call О api_queryããããã«ã€ããŠã¯ããå°ã詳ãã説æããŸã) API ãµãŒããŒäžã® sha1 æçŽèšŒææžã ãã ããAPI ãµãŒããŒèšŒææžã® sha1 ãã£ã³ã¬ãŒããªã³ãããã§ãã¯ãããšãã«ãšã©ãŒãæ€åºãããå Žå (蚌ææžãäžæã§ãããå€æŽãããŠããå Žå)ãã¡ãœãã㯠æçŽãã§ã㯠ããŒã«ã« ãã·ã³äžã®æ å ±ãèªåçã«è¿œå /å€æŽããæ©äŒãæäŸãããŸãã APIClientArgs åŒæ°ã䜿çšãããšããã®ãã§ãã¯ãå®å šã«ç¡å¹ã«ããããšãã§ããŸã (ãã ãããã㯠127.0.0.1 ã«æ¥ç¶ãããšãã«ã¹ã¯ãªããã API ãµãŒããŒèªäœã§å®è¡ãããå Žåã«ã®ã¿æšå¥šãããŸã)ã unsafe_auto_accept (APIClientArgs ã®è©³çŽ°ã«ã€ããŠã¯ãåè¿°ã®ãæ¥ç¶ãã©ã¡ãŒã¿ãŒã®å®çŸ©ããåç §ããŠãã ãã)ã
client_args = APIClientArgs(unsafe_auto_accept=True)
APIãµãŒããŒã«ãã°ã€ã³ãã
У APIã¯ã©ã€ã¢ã³ã APIãµãŒããŒã«ãã°ã€ã³ããæ¹æ³ã¯3ã€ããããããããã®æå³ãç解ããŠããŸã sidã®(session-id)ãããããŒå ã®åŸç¶ã®å API åŒã³åºãã§èªåçã«äœ¿çšãããŸã (ãã®ãã©ã¡ãŒã¿ãŒã®ããããŒå ã®åå㯠X-chkp-sid) ãªã®ã§ããã®ãã©ã¡ãŒã¿ãããã«åŠçããå¿ èŠã¯ãããŸããã
ãã°ã€ã³æ¹æ³
ãã°ã€ã³ãšãã¹ã¯ãŒãã䜿çšãããªãã·ã§ã³ (äŸã§ã¯ããŠãŒã¶ãŒå admin ãšãã¹ã¯ãŒã 1q2w3e ãäœçœ®åŒæ°ãšããŠæž¡ãããŸã):
login = client.login('admin', '1q2w3e')
è¿œå ã®ãªãã·ã§ã³ ãã©ã¡ãŒã¿ããã°ã€ã³ ã¡ãœããã§äœ¿çšã§ããŸãããããã®ååãšããã©ã«ãå€ã¯æ¬¡ã®ãšããã§ãã
continue_last_session=False, domain=None, read_only=False, payload=None
Login_with_api_key ã¡ãœãã
API ããŒã䜿çšãããªãã·ã§ã³ (管çããŒãžã§ã³ R80.40/管ç API v1.6 以éã§ãµããŒã) "3TsbPJ8ZKjaJGvFyoFqHFA==" ããã¯ãAPI ããŒèªèšŒæ¹æ³ã䜿çšãã管çãµãŒããŒäžã®ãŠãŒã¶ãŒã® XNUMX 人㮠API ããŒå€ã§ã):
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
æ¹æ³ã§ ãã°ã€ã³_with_api_key ã¡ãœãããšåããªãã·ã§ã³ã®ãã©ã¡ãŒã¿ã䜿çšã§ããŸãã ãã°ã€ã³.
login_as_root ã¡ãœãã
API ãµãŒããŒã䜿çšããŠããŒã«ã« ãã·ã³ã«ãã°ã€ã³ãããªãã·ã§ã³:
login = client.login_as_root()
ãã®ã¡ãœããã§äœ¿çšã§ãããªãã·ã§ã³ã®ãã©ã¡ãŒã¿ãŒã¯ XNUMX ã€ã ãã§ãã
domain=None, payload=None
ãããŠæåŸã« API ãèªåèªèº«ãåŒã³åºããŸã
ã¡ãœãããéã㊠API åŒã³åºããè¡ãã«ã¯ XNUMX ã€ã®ãªãã·ã§ã³ããããŸã api_call О api_queryã ãããã®éãã¯äœãªã®ããèŠãŠã¿ãŸãããã
api_call
ãã®ã¡ãœããã¯ããããåŒã³åºãã«é©çšã§ããŸãã å¿ èŠã«å¿ããŠãAPI åŒã³åºããšãã€ããŒãã®æåŸã®éšåããªã¯ãšã¹ãæ¬æã«æž¡ãå¿ èŠããããŸãã ãã€ããŒãã空ã®å ŽåããŸã£ããéä¿¡ã§ããŸããã
api_versions = client.api_call('show-api-versions')
ãã®ãªã¯ãšã¹ãã®ã«ããã®äžã®åºå:
In [23]: api_versions
Out[23]:
APIResponse({
"data": {
"current-version": "1.6",
"supported-versions": [
"1",
"1.1",
"1.2",
"1.3",
"1.4",
"1.5",
"1.6"
]
},
"res_obj": {
"data": {
"current-version": "1.6",
"supported-versions": [
"1",
"1.1",
"1.2",
"1.3",
"1.4",
"1.5",
"1.6"
]
},
"status_code": 200
},
"status_code": 200,
"success": true
})
show_host = client.api_call('show-host', {'name' : 'h_8.8.8.8'})
ãã®ãªã¯ãšã¹ãã®ã«ããã®äžã®åºå:
In [25]: show_host
Out[25]:
APIResponse({
"data": {
"color": "black",
"comments": "",
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"groups": [],
"icon": "Objects/host",
"interfaces": [],
"ipv4-address": "8.8.8.8",
"meta-info": {
"creation-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"creator": "admin",
"last-modifier": "admin",
"last-modify-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"lock": "unlocked",
"validation-state": "ok"
},
"name": "h_8.8.8.8",
"nat-settings": {
"auto-rule": false
},
"read-only": false,
"tags": [],
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
},
"res_obj": {
"data": {
"color": "black",
"comments": "",
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"groups": [],
"icon": "Objects/host",
"interfaces": [],
"ipv4-address": "8.8.8.8",
"meta-info": {
"creation-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"creator": "admin",
"last-modifier": "admin",
"last-modify-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"lock": "unlocked",
"validation-state": "ok"
},
"name": "h_8.8.8.8",
"nat-settings": {
"auto-rule": false
},
"read-only": false,
"tags": [],
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
},
"status_code": 200
},
"status_code": 200,
"success": true
})
api_query
ãã®æ¹æ³ã¯ãåºåã«ãªãã»ãããå«ãŸããåŒã³åºãã«ã®ã¿é©çšã§ããããšãããã«äºçŽããŠãããŸãã ãã®ãããªæšè«ã¯ã倧éã®æ å ±ãå«ãŸããŠããããŸãã¯å«ãŸããå¯èœæ§ãããå Žåã«çºçããŸãã ããšãã°ãããã¯ã管çãµãŒããŒäžã§äœæããããã¹ãŠã®ãã¹ã ãªããžã§ã¯ãã®ãªã¹ãã«å¯ŸããèŠæ±ã§ããå¯èœæ§ããããŸãã ãã®ãããªãªã¯ãšã¹ãã®å ŽåãAPI ã¯ããã©ã«ã㧠50 åã®ãªããžã§ã¯ãã®ãªã¹ããè¿ããŸã (å¿çå ã®å¶éã 500 åã®ãªããžã§ã¯ãã«å¢ããããšãã§ããŸã)ã ãŸããAPI ãªã¯ãšã¹ãã®ãªãã»ãã ãã©ã¡ãŒã¿ãŒãå€æŽããŠæ å ±ãäœåºŠãååŸããªãããã«ããããã«ããã®äœæ¥ãèªåçã«å®è¡ãã api_query ã¡ãœããããããŸãã ãã®ã¡ãœãããå¿ èŠãªåŒã³åºãã®äŸ: show-sessionsãshow-hostsãshow-networksãshow-wildcardsãshow-groupsãshow-address-rangesãshow-simple-gatewaysãshow-simple-clustersãshow-access-rolesãshow-trusted-clientsãã·ã§ãŒããã±ãŒãžã å®éããããã® API åŒã³åºãã®ååã«ã¯è€æ°ã®åèªãå«ãŸããŠããããããããã®åŒã³åºãã¯ã api_query
show_hosts = client.api_query('show-hosts')
ãã®ãªã¯ãšã¹ãã®ã«ããã®äžã®åºå:
In [21]: show_hosts
Out[21]:
APIResponse({
"data": [
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "192.168.47.1",
"name": "h_192.168.47.1",
"type": "host",
"uid": "5d7d7086-d70b-4995-971a-0583b15a2bfc"
},
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "8.8.8.8",
"name": "h_8.8.8.8",
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
}
],
"res_obj": {
"data": {
"from": 1,
"objects": [
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "192.168.47.1",
"name": "h_192.168.47.1",
"type": "host",
"uid": "5d7d7086-d70b-4995-971a-0583b15a2bfc"
},
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "8.8.8.8",
"name": "h_8.8.8.8",
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
}
],
"to": 2,
"total": 2
},
"status_code": 200
},
"status_code": 200,
"success": true
})
APIåŒã³åºãã®çµæã®åŠç
ãã®åŸãã¯ã©ã¹ã®å€æ°ãšã¡ãœããã䜿çšã§ããããã«ãªããŸãã APIã¬ã¹ãã³ã¹(ã³ã³ããã¹ããããŒãžã£ãŒã®å éšãšå€éšã®äž¡æ¹)ã ææ¥äž APIã¬ã¹ãã³ã¹ 4 ã€ã®ã¡ãœãããš 5 ã€ã®å€æ°ãäºåå®çŸ©ãããŠããŸããæãéèŠãªãã®ã«ã€ããŠè©³ãã説æããŸãã
æå
ãŸããAPI åŒã³åºããæåããçµæãè¿ãããããšã確èªããããšããå§ãããŸãã ããã«ã¯æ¹æ³ããããŸã æå:
In [49]: api_versions.success
Out[49]: True
API åŒã³åºããæåããå Žå (å¿çã³ãŒã - 200) 㯠True ãè¿ããæåããªãã£ãå Žå (ãã®ä»ã®å¿çã³ãŒã) 㯠False ãè¿ããŸãã APIåŒã³åºãçŽåŸã«ãã¬ã¹ãã³ã¹ã³ãŒãã«å¿ããŠç°ãªãæ å ±ã衚瀺ããããšäŸ¿å©ã§ãã
if api_ver.success:
print(api_versions.data)
else:
print(api_versions.err_message)
ã¹ããŒã¿ã¹ã³ãŒã
APIåŒã³åºãåŸã«ã¬ã¹ãã³ã¹ã³ãŒããè¿ããŸãã
In [62]: api_versions.status_code
Out[62]: 400
èããããå¿çã³ãŒã: 200,400,401,403,404,409,500,501.
set_success_status
ãã®å Žåãæåã¹ããŒã¿ã¹ã®å€ãå€æŽããå¿ èŠãããå ŽåããããŸãã æè¡çã«ã¯ãéåžžã®æååãå«ããäœã§ãããã«çœ®ãããšãã§ããŸãã ãã ããå®éã®äŸã¯ãç¹å®ã®ä»éæ¡ä»¶äžã§ãã®ãã©ã¡ãŒã¿ã False ã«ãªã»ããããããšã§ãã 以äžã§ã¯ã管çãµãŒããŒäžã§ã¿ã¹ã¯ãå®è¡ãããŠããå Žåã®äŸã«æ³šç®ããŠãã ããããã ãããã®ãªã¯ãšã¹ãã¯å€±æãããšèŠãªãããŸã (æåå€æ°ã ã«èšå®ããŸã)ã ÃAPI åŒã³åºããæåããŠã³ãŒã 200 ãè¿ãããã«ããããããïŒã
for task in task_result.data["tasks"]:
if task["status"] == "failed" or task["status"] == "partially succeeded":
task_result.set_success_status(False)
break
å¿çïŒïŒ
å¿çã¡ãœããã䜿çšãããšãå¿çã³ãŒã (status_code) ãšå¿çæ¬æ (body) ãå«ããã£ã¯ã·ã§ããªã衚瀺ã§ããŸãã
In [94]: api_versions.response()
Out[94]:
{'status_code': 200,
'data': {'current-version': '1.6',
'supported-versions': ['1', '1.1', '1.2', '1.3', '1.4', '1.5', '1.6']}}
ããŒã¿
äžèŠãªæ å ±ãé€ããŠã¬ã¹ãã³ã¹ã®æ¬æïŒããã£ïŒã®ã¿ã衚瀺ã§ããŸãã
In [93]: api_versions.data
Out[93]:
{'current-version': '1.6',
'supported-versions': ['1', '1.1', '1.2', '1.3', '1.4', '1.5', '1.6']}
ãšã©ãŒã¡ãã»ãŒãž
ãã®æ å ±ã¯ãAPI ãªã¯ãšã¹ãã®åŠçäžã«ãšã©ãŒãçºçããå Žåã«ã®ã¿å©çšã§ããŸã (ã¬ã¹ãã³ã¹ ã³ãŒã) ã㌠200ïŒã åºåäŸ
In [107]: api_versions.error_message
Out[107]: 'code: generic_err_invalid_parameter_namenmessage: Unrecognized parameter [1]n'
圹ç«ã€äŸ
以äžã¯ãManagement API 1.6 ã§è¿œå ããã API åŒã³åºãã䜿çšããäŸã§ãã
ãŸããé話ãã©ã®ããã«æ©èœããããèŠãŠã¿ãŸããã ãã¹ãã®è¿œå О ã¢ãã¬ã¹ç¯å²ã®è¿œå ã æåŸã®ãªã¯ãããã 192.168.0.0 ã§ãããµãããã 24/5 ã®ãã¹ãŠã® IP ã¢ãã¬ã¹ããã¹ã ã¿ã€ãã®ãªããžã§ã¯ããšããŠäœæããä»ã®ãã¹ãŠã® IP ã¢ãã¬ã¹ãã¢ãã¬ã¹ç¯å²ã¿ã€ãã®ãªããžã§ã¯ããšããŠæžã蟌ãå¿ èŠããããšããŸãã ãã®å Žåããµããããã¢ãã¬ã¹ãšãããŒããã£ã¹ãã¢ãã¬ã¹ã¯é€å€ããŠãã ããã
ãããã£ãŠã以äžã¯ãã®åé¡ã解決ãããã¹ã ã¿ã€ãã®ãªããžã§ã¯ãã 50 åãã¢ãã¬ã¹ç¯å²ã¿ã€ãã®ãªããžã§ã¯ãã 51 åäœæããã¹ã¯ãªããã§ãã ãã®åé¡ã解決ããã«ã¯ã101 åã® API åŒã³åºããå¿ èŠã§ã (æåŸã®ãããªãã·ã¥åŒã³åºãã¯ã«ãŠã³ãããŸãã)ã ãŸããtimeit ã¢ãžã¥ãŒã«ã䜿çšããŠãå€æŽãå ¬éããããŸã§ã¹ã¯ãªããã®å®è¡ã«ãããæéãèšç®ããŸãã
add-host ãš add-address-range ã䜿çšããã¹ã¯ãªãã
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
first_ip = 1
last_ip = 4
client_args = APIClientArgs(server="192.168.47.240")
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
for ip in range(5,255,5):
add_host = client.api_call("add-host", {"name" : f"h_192.168.0.{ip}", "ip-address": f'192.168.0.{ip}'})
while last_ip < 255:
add_range = client.api_call("add-address-range", {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"})
first_ip+=5
last_ip+=5
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
ç§ã®ã©ãç°å¢ã§ã¯ã管çãµãŒããŒã®è² è·ã«å¿ããŠããã®ã¹ã¯ãªããã®å®è¡ã« 30 ïœ 50 ç§ããããŸãã
次ã«ãAPI åŒã³åºãã䜿çšããŠåãåé¡ã解決ããæ¹æ³ãèŠãŠã¿ãŸãããã ãªããžã§ã¯ãã®è¿œå ãããããã®ãµããŒã㯠API ããŒãžã§ã³ 1.6 ã§è¿œå ãããŸããã ãã®åŒã³åºãã«ãããXNUMX ã€ã® API ãªã¯ãšã¹ãã§äžåºŠã«å€ãã®ãªããžã§ã¯ããäœæã§ããŸãã ããã«ããããã¯ããŸããŸãªã¿ã€ãã®ãªããžã§ã¯ã (ãã¹ãããµãããããã¢ãã¬ã¹ç¯å²ãªã©) ã§ããå ŽåããããŸãã ãããã£ãŠãç§ãã¡ã®ã¿ã¹ã¯ã¯ XNUMX ã€ã® API åŒã³åºãã®ãã¬ãŒã ã¯ãŒã¯å ã§è§£æ±ºã§ããŸãã
add-objects-batch ã䜿çšããã¹ã¯ãªãã
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}', "ip-address": f'192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
add_objects_batch = client.api_call("add-objects-batch", data_for_batch)
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
ãŸããç§ã®ã©ãç°å¢ã§ãã®ã¹ã¯ãªãããå®è¡ãããšã管çãµãŒããŒã®è² è·ã«å¿ã㊠3 ïœ 7 ç§ããããŸãã ã€ãŸãã101 åã® API ãªããžã§ã¯ãã§ã¯ãããã ã¿ã€ãã®åŒã³åºãã¯å¹³åã㊠10 åé«éã«å®è¡ãããŸãã ãªããžã§ã¯ãã®æ°ãå€ããªããšããã®éãã¯ããã«é¡èã«ãªããŸãã
ã§ã¯ãã©ã®ããã«äœæ¥ããããèŠãŠã¿ãŸããã ã»ãããªããžã§ã¯ããããã ãã® API åŒã³åºãã䜿çšãããšãä»»æã®ãã©ã¡ãŒã¿ãŒãäžæ¬å€æŽã§ããŸãã åã®äŸã®ã¢ãã¬ã¹ã®åå (æ倧 .124 ã®ãã¹ããšç¯å²ã) ãã·ãšãè²ã«èšå®ããã¢ãã¬ã¹ã®åŸåã«ã«ãŒãè²ãå²ãåœãŠãŸãããã
åã®äŸã§äœæãããªããžã§ã¯ãã®è²ã®å€æŽ
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip_first = []
objects_list_range_first = []
objects_list_ip_second = []
objects_list_range_second = []
for ip in range(5,125,5):
data = {"name": f'h_192.168.0.{ip}', "color": "sienna"}
objects_list_ip_first.append(data)
for ip in range(125,255,5):
data = {"name": f'h_192.168.0.{ip}', "color": "khaki"}
objects_list_ip_second.append(data)
first_ip = 1
last_ip = 4
while last_ip < 125:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "sienna"}
objects_list_range_first.append(data)
first_ip+=5
last_ip+=5
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "khaki"}
objects_list_range_second.append(data)
first_ip+=5
last_ip+=5
data_for_batch_first = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_first
}, {
"type" : "address-range",
"list" : objects_list_range_first
}]
}
data_for_batch_second = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_second
}, {
"type" : "address-range",
"list" : objects_list_range_second
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
set_objects_batch_first = client.api_call("set-objects-batch", data_for_batch_first)
set_objects_batch_second = client.api_call("set-objects-batch", data_for_batch_second)
publish = client.api_call("publish")
次ã䜿çšããŠãXNUMX åã® API åŒã³åºãã§è€æ°ã®ãªããžã§ã¯ããåé€ã§ããŸãã ãªããžã§ã¯ãã®åé€ãããã 次ã«ã以åã«äœæãããã¹ãŠã®ãã¹ããåé€ããã³ãŒãäŸãèŠãŠã¿ãŸãããã ãªããžã§ã¯ãã®è¿œå ããã.
delete-objects-batch ã䜿çšãããªããžã§ã¯ãã®åé€
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
delete_objects_batch = client.api_call("delete-objects-batch", data_for_batch)
publish = client.api_call("publish")
print(delete_objects_batch.data)
Check Point ãœãããŠã§ã¢ã®æ°ãããªãªãŒã¹ã«å«ãŸãããã¹ãŠã®é¢æ°ã¯ãããã« API åŒã³åºããååŸããŸãã ãããã£ãŠãR80.40 ã§ã¯ããªããžã§ã³ã«æ»ããã¹ããŒã ã¿ã¹ã¯ãªã©ã®ãæ©èœããç»å Žãã察å¿ãã API åŒã³åºããããã«çšæãããŸããã ããã«ãã¬ã¬ã·ãŒ ã³ã³ãœãŒã«ããçµ±åããªã·ãŒ ã¢ãŒãã«ç§»è¡ãããšãã®ãã¹ãŠã®æ©èœã API ãµããŒããååŸããŸãã ããšãã°ããœãããŠã§ã¢ ããŒãžã§ã³ R80.40 ã®åŸ æã®ã¢ããããŒãã§ã¯ãHTTPS æ€æ»ããªã·ãŒãã¬ã¬ã·ãŒ ã¢ãŒãããçµ±åããªã·ãŒ ã¢ãŒãã«ç§»è¡ããããã®æ©èœã¯ããã« API åŒã³åºããåä¿¡ã§ããããã«ãªããŸããã 以äžã¯ãå€ãã®åœã§æ³åŸã«åŸã£ãŠæ€æ»ãçŠæ¢ãããŠãã 3 ã€ã®ã«ããŽãª (å»çãéèãæ¿åºãµãŒãã¹) ãæ€æ»ããé€å€ããã«ãŒã«ã HTTPS æ€æ»ããªã·ãŒã®æäžäœã«è¿œå ããã³ãŒãã®äŸã§ãã
HTTPS æ€æ»ããªã·ãŒã«ã«ãŒã«ãè¿œå ãã
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
data = {
"layer" : "Default Layer",
"position" : "top",
"name" : "Legal Requirements",
"action": "bypass",
"site-category": ["Health", "Government / Military", "Financial Services"]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
add_https_rule = client.api_call("add-https-rule", data)
publish = client.api_call("publish")
Check Point 管çãµãŒããŒã§ã® Python ã¹ã¯ãªããã®å®è¡
ãã¹ãŠåãã§ã
Security CheckUp ãè¿ éã«ã»ããã¢ããããããã®ã¹ã¯ãªãã
from __future__ import print_function
import getpass
import sys, os
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
from cpapi import APIClient, APIClientArgs
def main():
with APIClient() as client:
# if client.check_fingerprint() is False:
# print("Could not get the server's fingerprint - Check connectivity with the server.")
# exit(1)
login_res = client.login_as_root()
if login_res.success is False:
print("Login failed:n{}".format(login_res.error_message))
exit(1)
gw_name = raw_input("Enter the gateway name:")
gw_ip = raw_input("Enter the gateway IP address:")
if sys.stdin.isatty():
sic = getpass.getpass("Enter one-time password for the gateway(SIC): ")
else:
print("Attention! Your password will be shown on the screen!")
sic = raw_input("Enter one-time password for the gateway(SIC): ")
version = raw_input("Enter the gateway version(like RXX.YY):")
add_gw = client.api_call("add-simple-gateway", {'name' : gw_name, 'ipv4-address' : gw_ip, 'one-time-password' : sic, 'version': version.capitalize(), 'application-control' : 'true', 'url-filtering' : 'true', 'ips' : 'true', 'anti-bot' : 'true', 'anti-virus' : 'true', 'threat-emulation' : 'true'})
if add_gw.success and add_gw.data['sic-state'] != "communicating":
print("Secure connection with the gateway hasn't established!")
exit(1)
elif add_gw.success:
print("The gateway was added successfully.")
gw_uid = add_gw.data['uid']
gw_name = add_gw.data['name']
else:
print("Failed to add the gateway - {}".format(add_gw.error_message))
exit(1)
change_policy = client.api_call("set-access-layer", {"name" : "Network", "applications-and-url-filtering": "true", "content-awareness": "true"})
if change_policy.success:
print("The policy has been changed successfully")
else:
print("Failed to change the policy- {}".format(change_policy.error_message))
change_rule = client.api_call("set-access-rule", {"name" : "Cleanup rule", "layer" : "Network", "action": "Accept", "track": {"type": "Detailed Log", "accounting": "true"}})
if change_rule.success:
print("The cleanup rule has been changed successfully")
else:
print("Failed to change the cleanup rule- {}".format(change_rule.error_message))
# publish the result
publish_res = client.api_call("publish", {})
if publish_res.success:
print("The changes were published successfully.")
else:
print("Failed to publish the changes - {}".format(install_tp_policy.error_message))
install_access_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'true', "threat-prevention" : 'false', "targets" : gw_uid})
if install_access_policy.success:
print("The access policy has been installed")
else:
print("Failed to install access policy - {}".format(install_tp_policy.error_message))
install_tp_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'false', "threat-prevention" : 'true', "targets" : gw_uid})
if install_tp_policy.success:
print("The threat prevention policy has been installed")
else:
print("Failed to install threat prevention policy - {}".format(install_tp_policy.error_message))
# add passwords and passphrases to dictionary
with open('additional_pass.conf') as f:
line_num = 0
for line in f:
line_num += 1
add_password_dictionary = client.api_call("run-script", {"script-name" : "Add passwords and passphrases", "script" : "printf "{}" >> $FWDIR/conf/additional_pass.conf".format(line), "targets" : gw_name})
if add_password_dictionary.success:
print("The password dictionary line {} was added successfully".format(line_num))
else:
print("Failed to add the dictionary - {}".format(add_password_dictionary.error_message))
main()
ãã¹ã¯ãŒãèŸæžãå«ããã¡ã€ã«ã®äŸAdditional_pass.conf
{
"passwords" : ["malware","malicious","infected","Infected"],
"phrases" : ["password","Password","Pass","pass","codigo","key","pwd","паÑПлÑ","ÐаÑПлÑ","ÐлÑÑ","клÑÑ","ÑОÑÑ","КОÑÑ"]
}
ãŸãšã
ãã®èšäºã§ã¯ãä»äºã®åºæ¬çãªå¯èœæ§ã®ã¿ãæ€èšããŸã Python SDK ãšã¢ãžã¥ãŒã« ã¡ã±ãŽ(ãæ³åã®ãšããããããã¯å®éã«ã¯å矩èªã§ã)ããã®ã¢ãžã¥ãŒã«ã®ã³ãŒããåŠç¿ããããšã§ãã³ãŒãã䜿çšããããã«å€ãã®æ©äŒãèŠã€ããã§ãããã ç¬èªã®ã¯ã©ã¹ãé¢æ°ãã¡ãœãããå€æ°ã§ãããè£ãããå ŽåããããŸãã ãã€ã§ãèªåã®äœæ¥ãå
±æãããããã®ã»ã¯ã·ã§ã³ã§ Check Point ã®ä»ã®ã¹ã¯ãªããã衚瀺ãããã§ããŸãã
ã³ãŒãã£ã³ã°ã楜ããã§ãã ãããæåŸãŸã§èªãã§ããã ãããããšãããããŸãã
åºæïŒ habr.com