Pro certo habeo omnes qui semper laboraverunt , Querela fuit impossibilitas edendi lineam ex imperio lineam. Hoc maxime mirum est illis qui antea cum Cisco ASA laboraverunt, ubi absolute omnia configurari possunt in CLI. With Check Point it's the other way around - all securitatem settings were exclusively from the graphical interface. Sed quaedam sunt omnino inconvenientia per GUI facere (vel unum tam conveniens quam scriptor Reprehendo Point). Exempli causa, munus centum novarum exercituum vel reticulorum augendi in longum et longum modum convertitur. Pro singulis objectis pluries murem preme et IP oratio intrabis. Idem valet de creando coetum situum vel molem cuius signaturas IPS / inactivare. In hoc casu est magna probabilitas errandi.
"Miraculum" relative nuper factum est. Cum emissione novae versionis Gaia R80 occasio nuntiata API ususquae amplas occasiones automandi occasus, administrationis, vigilantia aperit, etc. Nunc potes;
- objecta creare;
- accessum addere vel recensere lists;
- da / disable laminae;
- retis interfaces configurare;
- consilia inaugurare;
- et multo amplius.
Probus esse, non intellego quomodo haec nuntiatio ab Habr lata sit. In hoc capitulo breviter quomodo API utatur et pluribus exemplis practicis exponamus. CheckPoint occasus uti scriptor.
Velim reservationem facere ilicet quod API tantum pro servo administrationis adhibetur. Illae. Adhuc portas administrare sine server procuratione fieri non potest.
Quis hoc API in principio uti potest?
- Systema administratorum qui in exercitatione automate simpliciorem vel automatarium simpliciorem reddere cupiunt, perscriptio punctum configurationis exercet;
- Societates quae vis integrare Reprehendo Point cum aliis solutionibus (ratio virtualisation, systemata tessera, systemata conformatio administrationis, etc.);
- Systema integratores, qui occasus normas facere volunt, vel additional puncta relatas producta Reprehendo creare.
Typical consilium
Sic figuram typicam cum Check Point cogitemus:
Ut solet porta habemus (SG) Procuratio server (SMSAdmin consolatoriumSmartConsole). Hoc in casu, processus configurationis portae usitatius similis est:
Illae. Primum debes currere in computer administratoris SmartConsole, cum qua cum Servo Procuratio coniungimus (SMS). Securitas occasus factus est in SMS, tum demum applicatus (install consilium) Ad porta (SG).
cum usura Procuratio API, possumus basically skip primum punctum (Lorem SmartConsole) et usu API imperium recta ad Management server (SMS).
Mores utendi API
Quattuor modi praecipuae figurae utentes API emendandi sunt:
I) usus mgmt_cli ad utilitatem
exemplum - # mgmt_cli addendi nomen host1 ip-electronica 192.168.2.100
Hoc mandatum currit a Servo Management (SMS) linea mandatum. Syntaxin praepositi puto esse - host1 creatur cum inscriptione 192.168.2.100.
II) Intra API imperium per collisionem (in perito mode)
Basically, omnes vos postulo ut faceretis in linea mandatorum (mgmt login) sub ratione quae adhibetur cum connectens per SmartConsole (vel ratio radix). Tunc potes intrare API imperium in hoc casu non opus est utilitate uti ante quamque mandatum mgmt_cli). Plena potes creare arma BASH scriptor. Exemplum de scripto quod exercitum creat;
Pagina script
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
Si interest, videre potes quod video correspondentem:
III) Via SmartConsole aperiendo CLI fenestra
Omnes opus facere aperta fenestra CLI recta a * SmartConsoleut in tabula infra.
In hac fenestra statim inire potes API mandata.
4) Web Services. Usus HTTPS Post petitionem (CETERA API)
Nostro iudicio haec una ex praestantissimis methodis est, quia sino vos ut "aedificare" totum applicationes secundum procuratio servo procuratio (Tautologiam paenitet). De hac ratione paulo accuratius infra videbimus.
Summatim:
- API + cli magis idoneos homines, qui Cisco solent esse;
- API + testa pro operibus scriptoribus applicandis et exercitatione faciendo;
- API CETEROQUIN pro automation.
Enabling in API
Defalta, API ministrantibus procuratio datur cum plusquam 4GB de RAM et figurarum standiloneorum cum pluribus quam 8GB ipsius RAM. Vos can reprehendo per mandatum utens status: API status
Si eveniat ut api debilitatum sit, perfacile est ut per SmartConsole possit: Curo & Occasus> Laminae> Procuratio API> Provectus Occasus
Tum publish (publish) Mutat et currunt imperium API sileo.
Petitiones interreti + Python
Exsequi API imperium, petitiones interreti uti potes Python et bibliothecas petitiones, JSON. In genere structura petitionis interretialis tribus consistit partibus:
I) Oratio
(https://<managemenet server>:<port>/web_api/<command>)
II) HTTP capitis
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
III) Request payload
Textus in forma JSON continens diversorum parametri
Exemplum vocandi varia mandata;
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == ββ:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
Hic pauca sunt officia typica quae saepissime occurrant cum Point Moderare administrans.
1) Exemplum concessionis et munera concludere;
Script
payload = {βuserβ: βyour_userβ, βpasswordβ : βyour_passwordβ}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) Conversus in laminas et retia erigens;
Script
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
III) firewall Mutans praecepta:
Script
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
IV) addens Application accumsan:
Script
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) Promulgare et deponere consilium, executionem mandati coercere;
Script
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) exercitum add;
Script
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
VII) comminatio praeventionis agri:
Script
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
VIII) Videre indicem sessionum
Script
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
IX) Novam profile:
Script
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
X) Mutare actionem ad IPS signature:
Script
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) servitio tuo adde:
Script
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) Adde categoriam, situs vel coetus:
Script
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
Praeterea, ope WebAPI addere et removere retiacula, exercituum, accessum munera, etc. Maculae potest nativus Antivirus, Antibot, IPS, VPN. Licet etiam licentias instituere utendi mandato currere-script. Omnes Reprehendo Point API praecepta hic inveniri possunt .
Reprehendo Point API + Postman
Conveniet etiam ad usum Reprehendo Point Web API in conjunctione cum . Postmanus versiones desktop pro Fenestra, Linux et MacOS habet. Praeterea plugin Google Chrome est. Hoc est quod utemur. Primum debes invenire Postmanum in Google Chrome Store et instituo:
Hac utilitate utentes, petitiones interretiales in Perscriptio API punctum generare poterimus. Ut omnium API mandatorum non meminerim, collectiones sic dictas importare potest, quae iam omnia mandata necessaria continent;
invenies Collection ad R80.10. Postea importatis, API Formulae mandatum nobis praesto erunt:
Opinor, hoc commodissimum est. Cito incipias applicationes enucleare utendo perscriptio API Point.
Reprehendo Point + Ansible
Volo etiam notare quod est Ansible ad Checkpoint API. Modulus tibi permittit ut configurationes regere, sed ad exoticas quaestiones solvendas non ita conveniens est. Scriptura scripta in quavis programmandi lingua solutiones flexibiliores et commodiores praebet.
conclusio,
Hoc est ubi verisimiliter nostram brevem recognitionem perscriptio API Point peragimus. Opinor, haec factura valde exspectata et necessaria fuit. Cessus API latissime patefacit occasiones utriusque systematis administratorum et systematis integrorum qui operantur cum products Check Point. Orchestratio, automatio, SIEM feedback ... nunc omnia possibilia sunt.
PS Plures articulos circa ut semper invenire potes in nostro blog aut in diarii at .
PSS Pro technicis quaestionibus ad erigendum Reprehendo Point, potes
Tantum usores descripserunt in aliquet participare possunt. Te gratissimum esse.
Cogitasne uti API?
-
70,6%Yes12
-
23,5%No4
-
5,9%Iam using1
17 utentes censuerunt. 3 utentes abstinuerunt.
Source: www.habr.com