Kekuwatan lengkap interaksi karo API dicethakaké nalika digunakake bebarengan karo kode program, nalika ana kesempatan kanggo mbosenke mbentuk panjalukan API lan alat kanggo nganalisa respon API. Nanging, isih tetep ora digatekake Kit Pangembangan Piranti Lunak Python (saiki diarani Python SDK) kanggo Priksa Point Management API, nanging muspra. Iki nggawe urip luwih gampang kanggo pangembang lan penggemar otomatisasi. Python wis entuk popularitas gedhe lan aku mutusake kanggo ngisi kesenjangan lan mriksa fitur utama . Artikel iki minangka pelengkap banget kanggo artikel liyane babagan Habr . Kita bakal nimbang carane nulis script nggunakake Python SDK lan manggon ing liyane rinci ing fungsi anyar Manajemen API ing versi 1.6 (didhukung wiwit R80.40). Kanggo mangerteni artikel kasebut, sampeyan butuh kawruh dhasar babagan nggarap API lan Python.
Check Point aktif ngembangake API lan saiki wis dirilis:
- - nggarap server manajemen liwat API (lan kemampuan kanggo nglakokake skrip ing gateway ing kontrol server manajemen)
- - nggarap gateway keamanan
- — nggarap kothak wedhi ing awan Check Point
- - nggarap blade Identity Awareness ing gateways
- — nggarap portal manajemen gateway SMB ()
- - interaksi karo pengontrol IoT
- - nggarap (Solusi keamanan SD-WAN)
- - nggarap
Python SDK saiki mung ndhukung interaksi karo Manajemen API lan Gaia APIKita bakal nyakup kelas, metode lan variabel sing paling penting ing modul iki.
Nginstal modul
Modul cpapi Nginstal cepet lan gampang saka kanthi pitulung saka pip. Instruksi instalasi rinci kasedhiya ing . Modul iki diadaptasi kanggo nggarap versi Python 2.7 lan 3.7. Ing artikel iki, conto bakal diwenehi nggunakake Python 3.7. Nanging, Python SDK bisa mbukak langsung saka server Manajemen Check Point (Smart Management), nanging mung Python 2.7 didhukung ing wong, supaya kode kanggo versi 2.7 bakal diwenehi ing bagean pungkasan. Sanalika sawise nginstal modul, aku nyaranake ndeleng conto ing direktori conto_python2 и conto_python3.
Miwiti
Supaya kita bisa nggarap komponen modul cpapi, kita kudu ngimpor saka modul kasebut cpapi paling ora rong kelas sing dibutuhake:
APIClient и APIClientArgs
from cpapi import APIClient, APIClientArgs
Класс APIClientArgs tanggung jawab kanggo paramèter sambungan kanggo server API, lan kelas APIClient Tanggung jawab kanggo interaksi karo API.
Kita nemtokake paramèter sambungan
Kanggo nemtokake macem-macem paramèter sambungan kanggo API, sampeyan kudu nggawe conto saka kelas APIClientArgsPrinsip, paramèter kasebut wis ditemtokake lan nalika mbukak skrip ing server manajemen, ora perlu ditemtokake.
client_args = APIClientArgs()Nanging nalika mlaku ing host pihak katelu, sampeyan kudu nemtokake paling ora alamat IP utawa jeneng host server API (alias server manajemen). Ing conto ing ngisor iki, kita nemtokake parameter sambungan server lan nemtokake alamat IP server manajemen minangka senar.
client_args = APIClientArgs(server='192.168.47.241')Ayo goleki kabeh parameter lan nilai standar sing bisa digunakake nalika nyambung menyang server API:
Argumen metode __init__ saka kelas APIClientArgs
class APIClientArgs:
"""
This class provides arguments for APIClient configuration.
All the arguments are configured with their default values.
"""
# port is set to None by default, but it gets replaced with 443 if not specified
# context possible values - web_api (default) or gaia_api
def __init__(self, port=None, fingerprint=None, sid=None, server="127.0.0.1", http_debug_level=0,
api_calls=None, debug_file="", proxy_host=None, proxy_port=8080,
api_version=None, unsafe=False, unsafe_auto_accept=False, context="web_api"):
self.port = port
# management server fingerprint
self.fingerprint = fingerprint
# session-id.
self.sid = sid
# management server name or IP-address
self.server = server
# debug level
self.http_debug_level = http_debug_level
# an array with all the api calls (for debug purposes)
self.api_calls = api_calls if api_calls else []
# name of debug file. If left empty, debug data will not be saved to disk.
self.debug_file = debug_file
# HTTP proxy server address (without "http://")
self.proxy_host = proxy_host
# HTTP proxy port
self.proxy_port = proxy_port
# Management server's API version
self.api_version = api_version
# Indicates that the client should not check the server's certificate
self.unsafe = unsafe
# Indicates that the client should automatically accept and save the server's certificate
self.unsafe_auto_accept = unsafe_auto_accept
# The context of using the client - defaults to web_api
self.context = contextAku percaya yen argumen sing bisa digunakake ing kelas APIClientArgs bisa dingerteni kanthi intuisi kanggo pangurus Check Point lan ora mbutuhake komentar tambahan.
Nyambung liwat APIClient lan manajer konteks
Класс APIClient Iku paling trep kanggo nggunakake liwat manager konteks. Kabeh sing kudu diterusake menyang conto kelas APIClient yaiku paramèter sambungan sing ditetepake ing langkah sadurunge.
with APIClient(client_args) as client:
Pangatur konteks ora bakal kanthi otomatis nindakake telpon mlebu menyang server API, nanging bakal nindakake telpon logout nalika metu saka iku. Yen sakperangan alesan logout ora dibutuhake sawise rampung nggarap panggilan API, sampeyan kudu miwiti nggarap tanpa nggunakake manajer konteks:
client = APIClient(clieng_args)Priksa sambungan
Cara sing paling gampang kanggo mriksa manawa sambungan kasebut ditindakake miturut paramèter sing ditemtokake yaiku nggunakake metode kasebut mriksa_sidik jari. Yen mriksa hash sha1 kanggo sidik jari sertifikat server API gagal (metode kasebut bali palsu), banjur iki biasane disebabake masalah sambungan lan kita bisa mungkasi eksekusi program (utawa menehi pangguna kesempatan kanggo mbenerake data sambungan):
if client.check_fingerprint() is False:
print("Could not get the server's fingerprint - Check connectivity with the server.")
exit(1)
Elinga yen ing mangsa ngarep kelas APIClient bakal mriksa saben panggilan API (methods api_call и api_query, kita bakal pirembagan bab mau sethitik luwih) sha1 sidik jari saka certificate ing server API. Nanging yen kesalahan dideteksi nalika mriksa sidik jari sha1 sertifikat server API (sertifikat kasebut ora dingerteni utawa wis diganti), cara kasebut mriksa_sidik jari bakal menehi kemampuan kanggo nambah / ngganti informasi babagan ing mesin lokal kanthi otomatis. Priksa iki bisa dipateni rampung (nanging iki mung bisa dianjurake ing kasus mbukak script ing server API dhewe, nalika nyambung menyang 127.0.0.1), nggunakake argumen APIClientArgs - unsafe_auto_accept (ndeleng luwih akeh babagan APIClientArgs sadurungé ing "Nemtokake paramèter sambungan").
client_args = APIClientArgs(unsafe_auto_accept=True)Mlebet menyang server API
У APIClient ana minangka akeh minangka 3 cara mlebu menyang server API, lan saben wong elinga Nilai sid(session-id), sing digunakake kanthi otomatis ing saben panggilan API sakteruse ing header (jeneng ing header kanggo parameter iki yaiku X-chkp-sid), dadi ora perlu ngolah parameter iki maneh.
Metode login
Opsi nggunakake login lan sandhi (ing conto, jeneng pangguna admin lan sandhi 1q2w3e diterusake minangka argumen posisi):
login = client.login('admin', '1q2w3e') Cara mlebu uga duwe paramèter opsional tambahan sing kasedhiya, ing ngisor iki jeneng lan nilai standar:
continue_last_session=False, domain=None, read_only=False, payload=NoneMetode login_with_api_key
Opsi nggunakake kunci API (didhukung wiwit saka versi manajemen R80.40/Management API v1.6, "3TsbPJ8ZKjaJGvFyoFqHFA=" iki minangka nilai kunci API kanggo salah sawijining pangguna ing server manajemen kanthi metode wewenang kunci API):
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==') Ing metode login_with_api_key paramèter opsional padha kasedhiya ing cara mlebu.
login_as_root method
Pilihan kanggo mlebu menyang mesin lokal kanthi server API:
login = client.login_as_root()Mung ana rong parameter opsional sing kasedhiya kanggo metode iki:
domain=None, payload=NoneLan pungkasanipun API nelpon piyambak
Kita duwe rong pilihan kanggo nelpon API liwat metode api_call и api_query. Ayo ngerteni apa bedane ing antarane.
api_call
Cara iki ditrapake kanggo telpon apa wae. We kudu pass bagean pungkasan kanggo telpon api lan payload ing awak request yen perlu. Yen muatan kosong, mula bisa diilangi kabeh:
api_versions = client.api_call('show-api-versions') Output kanggo panjalukan iki ing ngisor potong:
In [23]: api_versions
Out[23]:
APIResponse({
"data": {
"current-version": "1.6",
"supported-versions": [
"1",
"1.1",
"1.2",
"1.3",
"1.4",
"1.5",
"1.6"
]
},
"res_obj": {
"data": {
"current-version": "1.6",
"supported-versions": [
"1",
"1.1",
"1.2",
"1.3",
"1.4",
"1.5",
"1.6"
]
},
"status_code": 200
},
"status_code": 200,
"success": true
})
show_host = client.api_call('show-host', {'name' : 'h_8.8.8.8'})Output kanggo panjalukan iki ing ngisor potong:
In [25]: show_host
Out[25]:
APIResponse({
"data": {
"color": "black",
"comments": "",
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"groups": [],
"icon": "Objects/host",
"interfaces": [],
"ipv4-address": "8.8.8.8",
"meta-info": {
"creation-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"creator": "admin",
"last-modifier": "admin",
"last-modify-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"lock": "unlocked",
"validation-state": "ok"
},
"name": "h_8.8.8.8",
"nat-settings": {
"auto-rule": false
},
"read-only": false,
"tags": [],
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
},
"res_obj": {
"data": {
"color": "black",
"comments": "",
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"groups": [],
"icon": "Objects/host",
"interfaces": [],
"ipv4-address": "8.8.8.8",
"meta-info": {
"creation-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"creator": "admin",
"last-modifier": "admin",
"last-modify-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"lock": "unlocked",
"validation-state": "ok"
},
"name": "h_8.8.8.8",
"nat-settings": {
"auto-rule": false
},
"read-only": false,
"tags": [],
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
},
"status_code": 200
},
"status_code": 200,
"success": true
})
api_query
Ayo kula nggawe leladen langsung sing cara iki mung ditrapake kanggo telpon, output kang nganggep offset. Output kasebut kedadeyan nalika ngemot utawa bisa ngemot informasi sing akeh. Contone, iki bisa dadi panyuwunan kanggo dhaptar kabeh obyek jinis host sing digawe ing server manajemen. Kanggo panjalukan kasebut, API ngasilake dhaptar 50 obyek kanthi standar (sampeyan bisa nambah watesan kanggo 500 obyek ing respon). Lan supaya ora narik informasi kaping pirang-pirang, ngganti parameter offset ing panjalukan API, ana cara api_query, sing nindakake iki kanthi otomatis. Conto telpon ing ngendi cara iki dibutuhake: show-sessions, show-hosts, show-networks, show-wildcards, show-groups, show-address-ranges, show-simple-gateways, show-simple-cluster, show-access-roles, show-trusted-clients, show-packages. Nyatane, kanthi jeneng panggilan API iki, kita ndeleng tembung jamak, mula telpon kasebut bakal luwih gampang ditangani liwat api_query
show_hosts = client.api_query('show-hosts') Output kanggo panjalukan iki ing ngisor potong:
In [21]: show_hosts
Out[21]:
APIResponse({
"data": [
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "192.168.47.1",
"name": "h_192.168.47.1",
"type": "host",
"uid": "5d7d7086-d70b-4995-971a-0583b15a2bfc"
},
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "8.8.8.8",
"name": "h_8.8.8.8",
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
}
],
"res_obj": {
"data": {
"from": 1,
"objects": [
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "192.168.47.1",
"name": "h_192.168.47.1",
"type": "host",
"uid": "5d7d7086-d70b-4995-971a-0583b15a2bfc"
},
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "8.8.8.8",
"name": "h_8.8.8.8",
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
}
],
"to": 2,
"total": 2
},
"status_code": 200
},
"status_code": 200,
"success": true
})
Ngolah asil panggilan API
Sawise iki, sampeyan bisa nggunakake variabel lan metode kelas. APIResponse(ing njero lan njaba manajer konteks). Kelas APIResponse Ana 4 metode sing wis ditemtokake lan 5 variabel, kita bakal ngrembug babagan sing paling penting kanthi luwih rinci.
kasuksesan
Kaping pisanan, luwih becik mesthekake yen telpon API sukses lan ngasilake asil. Ana cara kanggo iki kasuksesan:
In [49]: api_versions.success
Out[49]: True
Ngasilake True yen telpon API sukses (Kode respon - 200) lan Palsu yen ora sukses (kode respon liyane). Trep kanggo nggunakake sanalika sawise telpon API kanggo nampilake informasi beda gumantung kode respon.
if api_ver.success:
print(api_versions.data)
else:
print(api_versions.err_message) kode status
Ngasilake kode respon sawise nglakokake telpon API.
In [62]: api_versions.status_code
Out[62]: 400
Kode respon sing bisa ditindakake: 200,400,401,403,404,409,500,501.
set_success_status
Ing kasus iki, bisa uga kudu ngganti nilai status sukses. Secara teknis, sampeyan bisa nyelehake apa wae, sanajan senar biasa. Nanging conto nyata bakal ngreset parameter iki menyang Palsu ing kahanan tartamtu. Ing ngisor iki, perhatikan conto nalika ana tugas sing mlaku ing server manajemen, nanging kita bakal nganggep panyuwunan iki ora kasil (kita bakal nyetel variabel sukses menyang palsu, senadyan kasunyatan sing telpon API sukses lan bali kode 200).
for task in task_result.data["tasks"]:
if task["status"] == "failed" or task["status"] == "partially succeeded":
task_result.set_success_status(False)
breakwangsulan ()
Cara nanggepi ngidini sampeyan ndeleng kamus kanthi kode respon (kode_status) lan awak tanggapan (awak).
In [94]: api_versions.response()
Out[94]:
{'status_code': 200,
'data': {'current-version': '1.6',
'supported-versions': ['1', '1.1', '1.2', '1.3', '1.4', '1.5', '1.6']}}
data
Ngidini sampeyan ndeleng mung awak respon tanpa informasi sing ora perlu.
In [93]: api_versions.data
Out[93]:
{'current-version': '1.6',
'supported-versions': ['1', '1.1', '1.2', '1.3', '1.4', '1.5', '1.6']}
kesalahan_pesen
Informasi iki mung kasedhiya nalika ana kesalahan nalika ngolah panjalukan API (kode respon ora 200). Tuladha output
In [107]: api_versions.error_message
Out[107]: 'code: generic_err_invalid_parameter_namenmessage: Unrecognized parameter [1]n'
Conto migunani
Conto ing ngisor iki nggunakake panggilan API sing ditambahake ing Manajemen API versi 1.6.
Ayo diwiwiti kanthi ndeleng cara kerja telpon. nambah-host и nambah-alamat-rentang. Kita kudu nggawe kabeh alamat IP saka subnet 192.168.0.0/24, oktet pungkasan yaiku 5, minangka obyek jinis host, lan nulis kabeh alamat IP liyane minangka obyek jinis sawetara alamat. Ing kasus iki, ora kalebu alamat subnet lan alamat siaran.
Dadi, ing ngisor iki ana skrip sing ngrampungake masalah iki lan nggawe 50 obyek jinis host lan 51 obyek jinis sawetara alamat. Ngatasi masalah mbutuhake 101 panggilan API (ora ngetung panggilan nerbitake pungkasan). Uga, nggunakake modul timeit, kita ngetung wektu sing dibutuhake kanggo nglakokake naskah nganti owah-owahan diterbitake.
Skrip nggunakake add-host lan add-address-range
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
first_ip = 1
last_ip = 4
client_args = APIClientArgs(server="192.168.47.240")
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
for ip in range(5,255,5):
add_host = client.api_call("add-host", {"name" : f"h_192.168.0.{ip}", "ip-address": f'192.168.0.{ip}'})
while last_ip < 255:
add_range = client.api_call("add-address-range", {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"})
first_ip+=5
last_ip+=5
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
Ing lingkungan lab sandi, script iki njupuk antarane 30 lan 50 detik kanggo eksekusi, gumantung ing mbukak ing server Manajemen.
Saiki ayo ndeleng carane ngatasi masalah sing padha nggunakake telpon API nambah-obyek-batch, dhukungan sing ditambahake ing versi API 1.6. Telpon iki ngidini sampeyan nggawe macem-macem obyek bebarengan ing siji panjalukan API. Kajaba iku, iki bisa dadi obyek saka macem-macem jinis (contone, host, subnet lan kisaran alamat). Mangkono, tugas kita bisa ditanggulangi ing kerangka siji panggilan API.
Script nggunakake add-objects-batch
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}', "ip-address": f'192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
add_objects_batch = client.api_call("add-objects-batch", data_for_batch)
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
Lan eksekusi skrip iki ing lingkungan labku njupuk saka 3 nganti 7 detik gumantung saka beban ing server manajemen. Yaiku, rata-rata, ing 101 obyek, panggilan API saka jinis batch bisa 10 kaping luwih cepet. Ing jumlah obyek sing luwih akeh, bedane bakal luwih nyengsemake.
Saiki ayo ndeleng carane nggarap set-obyek-batch. Kanthi telpon API iki, kita bisa ngganti parameter apa wae kanthi akeh. Ayo dadi nyetel setengah pisanan saka alamat saka conto sadurungé (nganti .124 sarwa dumadi, lan kisaran banget) kanggo werna sienna, lan nemtokake setengah kapindho alamat menyang werna khaki.
Ngganti warna obyek sing digawe ing conto sadurunge
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip_first = []
objects_list_range_first = []
objects_list_ip_second = []
objects_list_range_second = []
for ip in range(5,125,5):
data = {"name": f'h_192.168.0.{ip}', "color": "sienna"}
objects_list_ip_first.append(data)
for ip in range(125,255,5):
data = {"name": f'h_192.168.0.{ip}', "color": "khaki"}
objects_list_ip_second.append(data)
first_ip = 1
last_ip = 4
while last_ip < 125:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "sienna"}
objects_list_range_first.append(data)
first_ip+=5
last_ip+=5
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "khaki"}
objects_list_range_second.append(data)
first_ip+=5
last_ip+=5
data_for_batch_first = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_first
}, {
"type" : "address-range",
"list" : objects_list_range_first
}]
}
data_for_batch_second = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_second
}, {
"type" : "address-range",
"list" : objects_list_range_second
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
set_objects_batch_first = client.api_call("set-objects-batch", data_for_batch_first)
set_objects_batch_second = client.api_call("set-objects-batch", data_for_batch_second)
publish = client.api_call("publish")
Sampeyan bisa mbusak sawetara obyek ing siji telpon API nggunakake mbusak-obyek-batch. Saiki ayo goleki conto kode sing mbusak kabeh host sing digawe sadurunge nambah-obyek-batch.
Mbusak obyek kanthi delete-objects-batch
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
delete_objects_batch = client.api_call("delete-objects-batch", data_for_batch)
publish = client.api_call("publish")
print(delete_objects_batch.data)
Kabeh fungsi sing katon ing rilis piranti lunak Check Point anyar langsung entuk panggilan API. Mangkono, ing R80.40 "fitur" kaya Revert kanggo revisi lan Smart Task muncul, lan telpon API cocog langsung disiapake kanggo wong-wong mau. Kajaba iku, kabeh fungsi nalika ngalih saka konsol Warisan menyang mode Unified Policy uga entuk dhukungan API. Contone, nganyari dawa-ngenteni ing versi piranti lunak R80.40 ana pamindhahan kabijakan Inspeksi HTTPS saka mode Warisan kanggo mode Unified Policy, lan fungsi iki langsung nampa telpon API. Iki minangka conto kode sing nambahake aturan menyang posisi paling dhuwur saka kabijakan Inspeksi HTTPS sing ora kalebu 3 kategori saka pengawasan (Kesehatan, Keuangan, Layanan Pemerintah), sing dilarang kanggo mriksa miturut undang-undang ing sawetara negara.
Tambah aturan menyang kabijakan Inspeksi HTTPS
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
data = {
"layer" : "Default Layer",
"position" : "top",
"name" : "Legal Requirements",
"action": "bypass",
"site-category": ["Health", "Government / Military", "Financial Services"]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
add_https_rule = client.api_call("add-https-rule", data)
publish = client.api_call("publish")
Nganggo Script Python ing Server Manajemen Titik Priksa
Kabeh padha ngandhut informasi carane mbukak script Python langsung saka server kontrol. Iki bisa migunani yen sampeyan ora bisa nyambung menyang server API saka mesin liyane. Aku ngrekam video enem menit kang katon ing nginstal modul cpapi lan fitur mlaku script Python ing server Manajemen. Contone, skrip diluncurake sing ngotomatisasi konfigurasi gateway anyar kanggo tugas kayata audit jaringan Priksa Keamanan. Salah sawijining fitur sing kudu dak lakoni: ing Python 2.7, fungsi kasebut durung katon input, saengga fungsi kasebut digunakake kanggo ngolah informasi sing dilebokake pangguna mentah_input. Yen ora, kode kasebut padha karo sing diluncurake saka mesin liyane, mung luwih trep kanggo nggunakake fungsi kasebut login_as_root, supaya ora nemtokake jeneng pangguna, sandhi lan alamat IP server kontrol maneh.
Skrip kanggo persiyapan cepet Keamanan CheckUp
from __future__ import print_function
import getpass
import sys, os
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
from cpapi import APIClient, APIClientArgs
def main():
with APIClient() as client:
# if client.check_fingerprint() is False:
# print("Could not get the server's fingerprint - Check connectivity with the server.")
# exit(1)
login_res = client.login_as_root()
if login_res.success is False:
print("Login failed:n{}".format(login_res.error_message))
exit(1)
gw_name = raw_input("Enter the gateway name:")
gw_ip = raw_input("Enter the gateway IP address:")
if sys.stdin.isatty():
sic = getpass.getpass("Enter one-time password for the gateway(SIC): ")
else:
print("Attention! Your password will be shown on the screen!")
sic = raw_input("Enter one-time password for the gateway(SIC): ")
version = raw_input("Enter the gateway version(like RXX.YY):")
add_gw = client.api_call("add-simple-gateway", {'name' : gw_name, 'ipv4-address' : gw_ip, 'one-time-password' : sic, 'version': version.capitalize(), 'application-control' : 'true', 'url-filtering' : 'true', 'ips' : 'true', 'anti-bot' : 'true', 'anti-virus' : 'true', 'threat-emulation' : 'true'})
if add_gw.success and add_gw.data['sic-state'] != "communicating":
print("Secure connection with the gateway hasn't established!")
exit(1)
elif add_gw.success:
print("The gateway was added successfully.")
gw_uid = add_gw.data['uid']
gw_name = add_gw.data['name']
else:
print("Failed to add the gateway - {}".format(add_gw.error_message))
exit(1)
change_policy = client.api_call("set-access-layer", {"name" : "Network", "applications-and-url-filtering": "true", "content-awareness": "true"})
if change_policy.success:
print("The policy has been changed successfully")
else:
print("Failed to change the policy- {}".format(change_policy.error_message))
change_rule = client.api_call("set-access-rule", {"name" : "Cleanup rule", "layer" : "Network", "action": "Accept", "track": {"type": "Detailed Log", "accounting": "true"}})
if change_rule.success:
print("The cleanup rule has been changed successfully")
else:
print("Failed to change the cleanup rule- {}".format(change_rule.error_message))
# publish the result
publish_res = client.api_call("publish", {})
if publish_res.success:
print("The changes were published successfully.")
else:
print("Failed to publish the changes - {}".format(install_tp_policy.error_message))
install_access_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'true', "threat-prevention" : 'false', "targets" : gw_uid})
if install_access_policy.success:
print("The access policy has been installed")
else:
print("Failed to install access policy - {}".format(install_tp_policy.error_message))
install_tp_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'false', "threat-prevention" : 'true', "targets" : gw_uid})
if install_tp_policy.success:
print("The threat prevention policy has been installed")
else:
print("Failed to install threat prevention policy - {}".format(install_tp_policy.error_message))
# add passwords and passphrases to dictionary
with open('additional_pass.conf') as f:
line_num = 0
for line in f:
line_num += 1
add_password_dictionary = client.api_call("run-script", {"script-name" : "Add passwords and passphrases", "script" : "printf "{}" >> $FWDIR/conf/additional_pass.conf".format(line), "targets" : gw_name})
if add_password_dictionary.success:
print("The password dictionary line {} was added successfully".format(line_num))
else:
print("Failed to add the dictionary - {}".format(add_password_dictionary.error_message))
main() Conto file karo kamus sandi additional_pass.conf
{
"passwords" : ["malware","malicious","infected","Infected"],
"phrases" : ["password","Password","Pass","pass","codigo","key","pwd","пароль","Пароль","Ключ","ключ","шифр","Шифр"] }
kesimpulan
Artikel iki mung nyakup kemungkinan dhasar kerja Python SDK lan modul cpapi(Sampeyan bisa uga wis guessed, iki bener sinonim), lan wis sinau kode ing modul iki, sampeyan bakal nemokake malah liyane kemungkinan ing karya karo. Sampeyan bisa uga duwe kepinginan kanggo nambah kelas, fungsi, metode lan variabel sampeyan dhewe. Sampeyan bisa tansah nuduhake pangembangan lan ndeleng skrip liyane kanggo Check Point ing bagean kasebut ing masyarakat , sing nggabungake pangembang lan pangguna produk.
Sugeng coding lan matur nuwun kanggo maca nganti pungkasan!
Source: www.habr.com
