Ndine wotsimikiza kuti aliyense amene adagwirapo nawo ntchito , panali dandaulo zosatheka kusintha kasinthidwe kuchokera pamzere wolamula. Izi ndizodabwitsa kwambiri kwa omwe adagwirapo kale ntchito ndi Cisco ASA, pomwe zonse zitha kukhazikitsidwa mu CLI. Ndi Check Point ndi njira inanso yozungulira - zosintha zonse zachitetezo zidachitidwa kokha kuchokera pamawonekedwe azithunzi. Komabe, zinthu zina zimakhala zovuta kuchita kudzera mu GUI (ngakhale imodzi yomwe ili yabwino ngati Check Point's). Mwachitsanzo, ntchito yowonjezera makamu atsopano 100 kapena maukonde imasanduka njira yayitali komanso yotopetsa. Pa chinthu chilichonse muyenera dinani mbewa kangapo ndikulowetsa adilesi ya IP. Zomwezo zimapangidwira kupanga gulu lamasamba kapena kuthandizira / kuletsa ma signature a IPS. Pankhaniyi, pali mwayi waukulu wolakwitsa.
βChozizwitsaβ chinachitika posachedwapa. Ndi kumasulidwa kwa Baibulo latsopano Gaya R80 mwayi unalengezedwa Kugwiritsa ntchito API, yomwe imatsegula mipata yambiri yosinthira makina, kuyang'anira, kuyang'anira, ndi zina zotero. Tsopano mutha:
- kupanga zinthu;
- onjezani kapena sinthani mindandanda yofikira;
- yambitsani / zimitsani masamba;
- konza zolumikizira netiweki;
- kukhazikitsa ndondomeko;
- ndi zina zambiri.
Kunena zowona, sindikumvetsa momwe nkhanizi zidadutsira Habr. M'nkhaniyi tifotokoza mwachidule momwe tingagwiritsire ntchito API ndikupereka zitsanzo zingapo zothandiza. Zosintha za CheckPoint pogwiritsa ntchito zolemba.
Ndikufuna kusungitsa nthawi yomweyo kuti API imagwiritsidwa ntchito pa seva Yoyang'anira. Iwo. Ndizosathekabe kuyang'anira zipata popanda seva ya Management.
Ndani angagwiritse ntchito API iyi?
- Oyang'anira makina omwe akufuna kufewetsa kapena kusinthiratu ntchito zosintha za Check Point;
- Makampani omwe akufuna kuphatikizira Check Point ndi mayankho ena (machitidwe olumikizirana, makina a matikiti, machitidwe owongolera masinthidwe, etc.);
- Ophatikizira amachitidwe omwe akufuna kuyimitsa makonda kapena kupanga zina zowonjezera zokhudzana ndi Check Point.
Chiwembu chodziwika bwino
Chifukwa chake, tiyeni tiyerekeze chiwembu chomwe chili ndi Check Point:
Monga mwachizolowezi tili ndi chipata (SG), seva yoyang'anira (sms) ndi admin console (SmartConsole). Pachifukwa ichi, ndondomeko yokhazikika ya gateway ikuwoneka motere:
Iwo. Choyamba muyenera kuthamanga pa kompyuta administrator SmartConsole, yomwe timagwirizanitsa ndi seva ya Management (sms). Zokonda zachitetezo zimapangidwa pa SMS, kenako ndikugwiritsidwa ntchito (kukhazikitsa ndondomeko) kupita kuchipata (SG).
Mukamagwiritsa ntchito Management API, titha kudumpha mfundo yoyamba (kuyambitsa SmartConsole) ndikugwiritsa ntchito API malamulo molunjika ku seva ya Management (SMS).
Njira zogwiritsira ntchito API
Pali njira zinayi zazikulu zosinthira kasinthidwe pogwiritsa ntchito API:
1) Kugwiritsa ntchito mgmt_cli
Chitsanzo - # mgmt_cli onjezani dzina la host1 IP-address 192.168.2.100
Lamuloli limayendetsedwa kuchokera pamzere wa Command Server (SMS). Ndikuganiza kuti syntax ya lamulo ndi yomveka - host1 imapangidwa ndi adilesi 192.168.2.100.
2) Lowetsani malamulo a API kudzera pa clish (munjira yaukadaulo)
Kwenikweni, zomwe muyenera kuchita ndikulowa pamzere wolamula (kulowa mgmt) pansi pa akaunti yomwe imagwiritsidwa ntchito polumikizana kudzera pa SmartConsole (kapena akaunti ya mizu). Ndiye mukhoza kulowa API malamulo (pankhaniyi palibe chifukwa chogwiritsa ntchito zofunikira pamaso pa lamulo lililonse mgmt_cli). Mutha kupanga zonse BASH zolemba. Chitsanzo cha script yomwe wolandirayo amapanga:
Bash script
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
Ngati mukufuna, mutha kuwona vidiyo yofananira:
3) Kudzera pa SmartConsole potsegula zenera la CLI
Zomwe muyenera kuchita ndikutsegula zenera CLI molunjika kuchokera SmartConsole, monga momwe chithunzi chili pansipa.
Pazenera ili, mutha kuyamba nthawi yomweyo kulowa malamulo a API.
4) Ntchito Zapaintaneti. Gwiritsani ntchito pempho la HTTPS Post (REST API)
M'malingaliro athu, iyi ndi imodzi mwa njira zodalirika kwambiri, chifukwa amakulolani "kumanga" mapulogalamu onse kutengera kasamalidwe ka seva (pepani pa tautology). Pansipa tiwona njira iyi mwatsatanetsatane.
Mwachidule:
- API + cli abwino kwambiri kwa anthu omwe amagwiritsidwa ntchito ku Cisco;
- API + chipolopolo kugwiritsa ntchito zolemba ndikuchita ntchito zachizolowezi;
- REST API za automation.
Kuthandizira API
Mwachikhazikitso, API imayatsidwa pa maseva oyang'anira omwe ali ndi zoposa 4GB ya RAM ndi masinthidwe oima okha okhala ndi 8GB ya RAM. Mutha kuyang'ana mawonekedwe pogwiritsa ntchito lamulo: api status
Zikawoneka kuti api yayimitsidwa, ndiye kuti ndiyosavuta kuyiyambitsa kudzera pa SmartConsole: Sinthani & Zikhazikiko > Blades > Management API > Advanced Settings
Kenako sindikizani (kufalitsa) kusintha ndikuyendetsa lamulo api restart.
Zofunsira pa intaneti + Python
Kuti mupereke malamulo a API, mutha kugwiritsa ntchito zofunsira pa intaneti Python ndi malaibulale zopempha, json. Nthawi zambiri, mawonekedwe a pempho la intaneti amakhala ndi magawo atatu:
1) Adilesi
(https://<managemenet server>:<port>/web_api/<command>)
2) Mitu ya HTTP
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
3) Pemphani malipiro
Mawu mumtundu wa JSON wokhala ndi magawo osiyanasiyana
Chitsanzo choyitanira malamulo osiyanasiyana:
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == ββ:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
Nazi ntchito zingapo zomwe mumakumana nazo nthawi zambiri mukamayendetsa Check Point.
1) Chitsanzo cha chilolezo ndi ntchito zotuluka:
Zolemba
payload = {βuserβ: βyour_userβ, βpasswordβ : βyour_passwordβ}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) Kuyatsa masamba ndikukhazikitsa maukonde:
Zolemba
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
3) Kusintha malamulo a firewall:
Zolemba
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
4) Powonjezera ntchito wosanjikiza:
Zolemba
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) Sindikizani ndikukhazikitsa ndondomekoyi, yang'anani kuchitidwa kwa lamulo (task-id):
Zolemba
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) Onjezani wolandila:
Zolemba
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
7) Onjezani gawo la Kupewa Zowopsa:
Zolemba
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
8) Onani mndandanda wa magawo
Zolemba
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
9) Pangani mbiri yatsopano:
Zolemba
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
10) Sinthani zochita za siginecha ya IPS:
Zolemba
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) Onjezani ntchito yanu:
Zolemba
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) Onjezani gulu, tsamba kapena gulu:
Zolemba
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
Komanso, ndi chithandizo WebAPI mutha kuwonjezera ndikuchotsa maukonde, makamu, maudindo ofikira, ndi zina. Masamba akhoza makonda Antivayirasi, Antibot, IPS, VPN. Ndikothekanso kukhazikitsa ziphaso pogwiritsa ntchito lamulo run-script. Malamulo onse a Check Point API atha kupezeka Pano .
Check Point API + Postman
Komanso yabwino kugwiritsa ntchito Check Point Web API molumikizana ndi . Postman ali ndi mitundu ya desktop ya Windows, Linux ndi MacOS. Kuphatikiza apo, pali pulogalamu yowonjezera ya Google Chrome. Izi ndi zomwe tidzagwiritse ntchito. Choyamba muyenera kupeza Postman mu Google Chrome Store ndikuyika:
Pogwiritsa ntchito izi, titha kupanga zopempha zapaintaneti ku Check Point API. Kuti musakumbukire malamulo onse a API, ndizotheka kuitanitsa zomwe zimatchedwa zosonkhanitsira (ma templates), omwe ali kale ndi malamulo onse ofunikira:
mupeza zosonkhanitsira chifukwa R80.10. Mukatha kuitanitsa, ma tempulo amalamulo a API apezeka kwa ife:
Malingaliro anga, izi ndizothandiza kwambiri. Mutha kuyamba mwachangu kupanga mapulogalamu pogwiritsa ntchito Check Point API.
Check Point + Ansible
Ndikufunanso kuzindikira kuti alipo Amatha kwa CheckPoint API. Gawoli limakupatsani mwayi wowongolera masanjidwe, koma sizothandiza kwambiri kuthetsa mavuto achilendo. Kulemba zolemba m'chinenero chilichonse chokonzekera kumapereka mayankho osinthika komanso osavuta.
Pomaliza
Apa ndipamene titha kumaliza ndemanga yathu yayifupi ya Check Point API. M'malingaliro anga, mbali iyi idayembekezeredwa kwa nthawi yayitali komanso yofunikira. Kutuluka kwa API kumatsegula mwayi waukulu kwambiri kwa oyang'anira machitidwe ndi ophatikiza makina omwe amagwira ntchito ndi Check Point product. Orchestration, automation, SIEM ndemanga... zonse ndizotheka tsopano.
PS Nkhani zambiri za monga nthawi zonse mumatha kuzipeza pa blog yathu kapena pa blog pa .
PSS Pamafunso aukadaulo okhudzana ndi kukhazikitsa Check Point, mutha
Ogwiritsa ntchito olembetsedwa okha ndi omwe angatenge nawo gawo pa kafukufukuyu. chonde.
Kodi mukukonzekera kugwiritsa ntchito API?
-
70,6%Yes12
-
23,5%No4
-
5,9%Ogwiritsa kale 1
Ogwiritsa ntchito 17 adavota. Ogwiritsa 3 adakana.
Source: www.habr.com