Python SDK pakadali pano imathandizira kulumikizana ndi Management API ndi Gaia API. Tiwona makalasi ofunikira kwambiri, njira ndi zosintha mu gawoli.
Kuyika moduli
Gawo cpapi imakhazikitsa mwachangu komanso mosavuta kuchokera malo ovomerezeka a Check Point pa github ndi thandizo pip. Tsatanetsatane unsembe malangizo akupezeka mu README.md. Module iyi idasinthidwa kuti igwire ntchito ndi mitundu ya Python 2.7 ndi 3.7. M'nkhaniyi, zitsanzo zidzaperekedwa pogwiritsa ntchito Python 3.7. Komabe, Python SDK ikhoza kuyendetsedwa mwachindunji kuchokera ku Check Point Management Server (Smart Management), koma imangothandiza Python 2.7, kotero gawo lomaliza lidzapereka code ya version 2.7. Nditangokhazikitsa gawoli, ndikupangira kuyang'ana zitsanzo muzowongolera zitsanzo_python2 ΠΈ zitsanzo_python3.
Kuyamba
Kuti tithe kugwira ntchito ndi zigawo za cpapi module, tiyenera kuitanitsa kuchokera ku module cpapi makalasi osachepera awiri ofunikira:
APIClient ΠΈ APIClientArgs
from cpapi import APIClient, APIClientArgs
Kalasi APIClientArgs imayang'anira magawo olumikizirana ndi seva ya API, ndi kalasi APIClient ali ndi udindo wolumikizana ndi API.
Kusankha magawo olumikizirana
Kuti mufotokoze magawo osiyanasiyana olumikizira ku API, muyenera kupanga chitsanzo cha kalasi APIClientArgs. M'malo mwake, magawo ake amafotokozedwatu ndipo akamayendetsa script pa seva yolamulira, safunikira kufotokozedwa.
client_args = APIClientArgs()
Koma mukamagwira ntchito pagulu lachitatu, muyenera kufotokoza adilesi ya IP kapena dzina la seva ya API (yomwe imadziwikanso kuti seva yoyang'anira). Muchitsanzo chomwe chili m'munsimu, timatanthauzira chizindikiro cholumikizira seva ndikuchipatsa adilesi ya IP ya seva yoyang'anira ngati chingwe.
Tiyeni tiwone magawo onse ndi zosintha zawo zomwe zingagwiritsidwe ntchito polumikizana ndi seva ya API:
Zotsutsana za __init__ njira ya kalasi ya APIClientArgs
class APIClientArgs:
"""
This class provides arguments for APIClient configuration.
All the arguments are configured with their default values.
"""
# port is set to None by default, but it gets replaced with 443 if not specified
# context possible values - web_api (default) or gaia_api
def __init__(self, port=None, fingerprint=None, sid=None, server="127.0.0.1", http_debug_level=0,
api_calls=None, debug_file="", proxy_host=None, proxy_port=8080,
api_version=None, unsafe=False, unsafe_auto_accept=False, context="web_api"):
self.port = port
# management server fingerprint
self.fingerprint = fingerprint
# session-id.
self.sid = sid
# management server name or IP-address
self.server = server
# debug level
self.http_debug_level = http_debug_level
# an array with all the api calls (for debug purposes)
self.api_calls = api_calls if api_calls else []
# name of debug file. If left empty, debug data will not be saved to disk.
self.debug_file = debug_file
# HTTP proxy server address (without "http://")
self.proxy_host = proxy_host
# HTTP proxy port
self.proxy_port = proxy_port
# Management server's API version
self.api_version = api_version
# Indicates that the client should not check the server's certificate
self.unsafe = unsafe
# Indicates that the client should automatically accept and save the server's certificate
self.unsafe_auto_accept = unsafe_auto_accept
# The context of using the client - defaults to web_api
self.context = context
Ndikukhulupirira kuti mikangano yomwe ingagwiritsidwe ntchito pagulu la APIClientArgs ndi yabwino kwa oyang'anira Check Point ndipo safuna ndemanga zowonjezera.
Kulumikizana kudzera pa APIClient ndi woyang'anira nkhani
Kalasi APIClient Njira yabwino kwambiri yogwiritsira ntchito ndi kudzera mwa woyang'anira nkhani. Zonse zomwe zimayenera kuperekedwa ku chitsanzo cha APIClient kalasi ndi magawo olumikizira omwe adafotokozedwa mu sitepe yapitayi.
with APIClient(client_args) as client:
Woyang'anira nkhani sangangoyimba foni yolowera ku seva ya API, koma imayimba foni ikatuluka. Ngati pazifukwa zina kutuluka sikofunikira mukamaliza kugwira ntchito ndi mafoni a API, muyenera kuyamba kugwira ntchito osagwiritsa ntchito woyang'anira nkhani:
client = APIClient(clieng_args)
Mayeso a kulumikizana
Njira yosavuta yowonera ngati kulumikizana kukugwirizana ndi magawo omwe atchulidwa ndikugwiritsa ntchito njirayi check_zisindikizo zala. Ngati chitsimikiziro cha sha1 hash sum pa chala cha satifiketi ya API sichikanika (njira yobwerera chonyenga), ndiye izi nthawi zambiri zimayamba chifukwa cha zovuta zolumikizana ndipo titha kuyimitsa pulogalamuyo (kapena kupatsa wogwiritsa ntchito mwayi wokonza zolumikizira):
if client.check_fingerprint() is False:
print("Could not get the server's fingerprint - Check connectivity with the server.")
exit(1)
Chonde dziwani kuti m'tsogolo kalasi APIClient iwona kuyimba kulikonse kwa API (njira api_call ΠΈ api_query, tikambirana za iwo patsogolo pang'ono) satifiketi ya sha1 pa seva ya API. Koma ngati, poyang'ana chala cha sha1 cha satifiketi ya seva ya API, cholakwika chapezeka (satifiketi sichidziwika kapena chasinthidwa), njirayo. check_zisindikizo zala adzapereka mwayi kuwonjezera / kusintha zambiri za izo pa makina m'deralo basi. Cheke ichi chikhoza kuzimitsidwa kwathunthu (koma izi zitha kulimbikitsidwa ngati zolemba zikuyendetsedwa pa seva ya API yokha, polumikizana ndi 127.0.0.1), pogwiritsa ntchito mkangano wa APIClientArgs - osatetezeka_auto_accept (onani zambiri za APIClientArgs koyambirira kwa "Kufotokozera magawo olumikizirana").
Π£ APIClient pali njira zambiri za 3 zolowera mu seva ya API, ndipo iliyonse imamvetsetsa tanthauzo lake sid(gawo-id), yomwe imagwiritsidwa ntchito yokha pa kuyimba kulikonse kotsatira kwa API pamutu (dzina lomwe lili pamutu wa parameter iyi ndi X-chkp-sid), kotero palibe chifukwa chopititsira patsogolo ndondomekoyi.
njira yolowera
Njira yolowera ndi mawu achinsinsi (mwachitsanzo, dzina lolowera ndi mawu achinsinsi 1q2w3e amaperekedwa ngati mikangano):
Kusankha pogwiritsa ntchito kiyi ya api (yothandizidwa kuyambira mtundu wa kasamalidwe R80.40/Management API v1.6, "3TsbPJ8ZKjaJGvFyoFqHFA==" ili ndiye chinsinsi cha API cha m'modzi mwa ogwiritsa ntchito pa seva yoyang'anira ndi njira yololeza makiyi a API):
Pankhaniyi, pangakhale kofunikira kusintha mtengo wa chipambano. Mwaukadaulo, mutha kuyika chilichonse pamenepo, ngakhale chingwe chokhazikika. Koma chitsanzo chenicheni chingakhale kukhazikitsanso parameter iyi ku False pansi pazifukwa zina. Pansipa, tcherani khutu ku chitsanzo ngati pali ntchito zomwe zikuyenda pa seva yoyang'anira, koma tiwona kuti pempholi silinapambane (tidzakhazikitsa kusintha kopambana kuti chonyenga, ngakhale kuti kuyimba kwa API kunali kopambana ndikubweza khodi 200).
for task in task_result.data["tasks"]:
if task["status"] == "failed" or task["status"] == "partially succeeded":
task_result.set_success_status(False)
break
yankho ()
Njira yoyankhira imakupatsani mwayi wowona mtanthauzira mawu ndi nambala yoyankhira (status_code) ndi gulu loyankhira (thupi).
Izi zimangopezeka pamene cholakwika chidachitika pokonza pempho la API (kodi yoyankha osati 200). Chitsanzo chotuluka
In [107]: api_versions.error_message
Out[107]: 'code: generic_err_invalid_parameter_namenmessage: Unrecognized parameter [1]n'
Zitsanzo zothandiza
Zotsatirazi ndi zitsanzo zomwe zimagwiritsa ntchito mafoni a API omwe adawonjezedwa mu Management API 1.6.
Choyamba, tiyeni tiwone momwe mafoni amagwirira ntchito add-host ΠΈ kuwonjezera-adilesi-siyana. Tiyerekeze kuti tikufunika kupanga ma adilesi onse a IP a subnet 192.168.0.0/24, octet yomaliza yomwe ndi 5, monga zinthu zamtundu wa wolandila, ndikulemba ma adilesi ena onse a IP ngati zinthu zamtundu wa ma adilesi. Pankhaniyi, osaphatikiza adilesi ya subnet ndi adilesi yowulutsa.
Chifukwa chake, pansipa pali script yomwe imathetsa vutoli ndikupanga zinthu 50 zamtundu wa wolandila ndi zinthu 51 zamtundu wa adilesi. Kuti athetse vutoli, mafoni a 101 API amafunikira (osawerengera kuyimba komaliza). Komanso, pogwiritsa ntchito gawo la timeit, timawerengera nthawi yomwe imafunika kuti tigwiritse ntchito script mpaka zosinthazo zitasindikizidwa.
Lembani pogwiritsa ntchito add-host ndi add-address-range
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
first_ip = 1
last_ip = 4
client_args = APIClientArgs(server="192.168.47.240")
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
for ip in range(5,255,5):
add_host = client.api_call("add-host", {"name" : f"h_192.168.0.{ip}", "ip-address": f'192.168.0.{ip}'})
while last_ip < 255:
add_range = client.api_call("add-address-range", {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"})
first_ip+=5
last_ip+=5
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
M'malo anga a labu, script iyi imatenga pakati pa 30 ndi 50 masekondi kuti ichitike, kutengera katundu pa seva yoyang'anira.
Tsopano tiyeni tiwone momwe tingathetsere vuto lomwelo pogwiritsa ntchito foni ya API kuwonjezera-zinthu-gulu, chithandizo chomwe chinawonjezedwa mu API version 1.6. Kuitana uku kumakupatsani mwayi wopanga zinthu zambiri nthawi imodzi muzopempha za API imodzi. Komanso, izi zitha kukhala zinthu zamitundu yosiyanasiyana (mwachitsanzo, makamu, ma subnets ndi ma adilesi osiyanasiyana). Chifukwa chake, ntchito yathu itha kuthetsedwa mkati mwa mayendedwe a foni imodzi ya API.
Lembani pogwiritsa ntchito add-objects-batch
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}', "ip-address": f'192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
add_objects_batch = client.api_call("add-objects-batch", data_for_batch)
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
Ndipo kuyendetsa script mu labu yanga kumatenga masekondi 3 mpaka 7, kutengera katundu pa seva yoyang'anira. Ndiye kuti, pafupifupi, pa zinthu 101 API, kuyimba kwamtundu wa batch kumathamanga nthawi 10 mwachangu. Pazinthu zazikuluzikulu kusiyana kudzakhala kochititsa chidwi kwambiri.
Tsopano tiyeni tione mmene ntchito seti-zinthu-mgulu. Pogwiritsa ntchito kuyimba kwa API iyi, titha kusintha zambiri. Tiyeni tiyike theka loyamba la maadiresi kuchokera ku chitsanzo cham'mbuyo (mpaka .124 makamu, ndi mizere nawonso) ku mtundu wa sienna, ndikugawa mtundu wa khaki ku theka lachiwiri la maadiresi.
Kusintha mtundu wa zinthu zomwe zidapangidwa mu chitsanzo chapitacho
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip_first = []
objects_list_range_first = []
objects_list_ip_second = []
objects_list_range_second = []
for ip in range(5,125,5):
data = {"name": f'h_192.168.0.{ip}', "color": "sienna"}
objects_list_ip_first.append(data)
for ip in range(125,255,5):
data = {"name": f'h_192.168.0.{ip}', "color": "khaki"}
objects_list_ip_second.append(data)
first_ip = 1
last_ip = 4
while last_ip < 125:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "sienna"}
objects_list_range_first.append(data)
first_ip+=5
last_ip+=5
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "khaki"}
objects_list_range_second.append(data)
first_ip+=5
last_ip+=5
data_for_batch_first = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_first
}, {
"type" : "address-range",
"list" : objects_list_range_first
}]
}
data_for_batch_second = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_second
}, {
"type" : "address-range",
"list" : objects_list_range_second
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
set_objects_batch_first = client.api_call("set-objects-batch", data_for_batch_first)
set_objects_batch_second = client.api_call("set-objects-batch", data_for_batch_second)
publish = client.api_call("publish")
Mutha kufufuta zinthu zingapo mufoni imodzi ya API pogwiritsa ntchito chotsani-zinthu-gulu. Tsopano tiyeni tiwone chitsanzo cha code chomwe chimachotsa makamu onse omwe adapangidwa kale kudzera kuwonjezera-zinthu-gulu.
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
delete_objects_batch = client.api_call("delete-objects-batch", data_for_batch)
publish = client.api_call("publish")
print(delete_objects_batch.data)
Ntchito zonse zomwe zimawoneka pazotulutsa zatsopano za pulogalamu ya Check Point nthawi yomweyo zimapeza mafoni a API. Chifukwa chake, mu R80.40 "mawonekedwe" oterowo monga Revert to revision and Smart Task adawonekera, ndipo mafoni ofananira a API adawakonzera nthawi yomweyo. Kuphatikiza apo, magwiridwe antchito onse mukasuntha kuchoka ku Legacy kupita ku Unified Policy mode amapezanso chithandizo cha API. Mwachitsanzo, zosintha zomwe zakhala zikuyembekezeredwa kwanthawi yayitali mu pulogalamu ya R80.40 inali kusuntha kwa HTTPS Inspection policy kuchoka ku Legacy kupita ku Unified Policy mode, ndipo magwiridwe antchitowa nthawi yomweyo adalandira mafoni a API. Pano pali chitsanzo cha code yomwe imawonjezera lamulo ku malo apamwamba a ndondomeko ya HTTPS Inspection yomwe imachotsa magulu a 3 kuchokera pakuwunika (Health, Finance, Government Services), zomwe zimaletsedwa kuyang'aniridwa motsatira malamulo m'mayiko angapo.
Kuthamanga zolemba za Python pa seva yoyang'anira Check Point
Zonse ndi zofanana README.md lili ndi zambiri zamomwe mungayendetsere zolemba za Python mwachindunji kuchokera pa seva yolamulira. Izi zitha kukhala zabwino mukalephera kulumikizana ndi seva ya API kuchokera pamakina ena. Ndinajambulitsa kanema wamphindi zisanu ndi chimodzi momwe ndimayang'ana pakuyika gawoli cpapi ndi mawonekedwe ogwiritsira ntchito zolemba za Python pa seva yolamulira. Mwachitsanzo, script imayendetsedwa yomwe imangosintha kasinthidwe kachipata chatsopano cha ntchito monga kuwunika kwa netiweki. Security CheckUp. Zina mwazinthu zomwe ndimayenera kuthana nazo: ntchitoyi sinawonekere mu Python 2.7 Zowonjezera, kotero kuti mugwiritse ntchito zomwe wogwiritsa ntchito amalowa, ntchito imagwiritsidwa ntchito yaiwisi_zolowetsa. Kupanda kutero, nambalayo ndi yofanana ndi yoyambira pamakina ena, ndizosavuta kugwiritsa ntchito ntchitoyi lowani_monga_root, kuti musatchule dzina lanu lolowera, mawu achinsinsi ndi adilesi ya IP ya seva yoyang'anira kachiwiri.
from __future__ import print_function
import getpass
import sys, os
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
from cpapi import APIClient, APIClientArgs
def main():
with APIClient() as client:
# if client.check_fingerprint() is False:
# print("Could not get the server's fingerprint - Check connectivity with the server.")
# exit(1)
login_res = client.login_as_root()
if login_res.success is False:
print("Login failed:n{}".format(login_res.error_message))
exit(1)
gw_name = raw_input("Enter the gateway name:")
gw_ip = raw_input("Enter the gateway IP address:")
if sys.stdin.isatty():
sic = getpass.getpass("Enter one-time password for the gateway(SIC): ")
else:
print("Attention! Your password will be shown on the screen!")
sic = raw_input("Enter one-time password for the gateway(SIC): ")
version = raw_input("Enter the gateway version(like RXX.YY):")
add_gw = client.api_call("add-simple-gateway", {'name' : gw_name, 'ipv4-address' : gw_ip, 'one-time-password' : sic, 'version': version.capitalize(), 'application-control' : 'true', 'url-filtering' : 'true', 'ips' : 'true', 'anti-bot' : 'true', 'anti-virus' : 'true', 'threat-emulation' : 'true'})
if add_gw.success and add_gw.data['sic-state'] != "communicating":
print("Secure connection with the gateway hasn't established!")
exit(1)
elif add_gw.success:
print("The gateway was added successfully.")
gw_uid = add_gw.data['uid']
gw_name = add_gw.data['name']
else:
print("Failed to add the gateway - {}".format(add_gw.error_message))
exit(1)
change_policy = client.api_call("set-access-layer", {"name" : "Network", "applications-and-url-filtering": "true", "content-awareness": "true"})
if change_policy.success:
print("The policy has been changed successfully")
else:
print("Failed to change the policy- {}".format(change_policy.error_message))
change_rule = client.api_call("set-access-rule", {"name" : "Cleanup rule", "layer" : "Network", "action": "Accept", "track": {"type": "Detailed Log", "accounting": "true"}})
if change_rule.success:
print("The cleanup rule has been changed successfully")
else:
print("Failed to change the cleanup rule- {}".format(change_rule.error_message))
# publish the result
publish_res = client.api_call("publish", {})
if publish_res.success:
print("The changes were published successfully.")
else:
print("Failed to publish the changes - {}".format(install_tp_policy.error_message))
install_access_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'true', "threat-prevention" : 'false', "targets" : gw_uid})
if install_access_policy.success:
print("The access policy has been installed")
else:
print("Failed to install access policy - {}".format(install_tp_policy.error_message))
install_tp_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'false', "threat-prevention" : 'true', "targets" : gw_uid})
if install_tp_policy.success:
print("The threat prevention policy has been installed")
else:
print("Failed to install threat prevention policy - {}".format(install_tp_policy.error_message))
# add passwords and passphrases to dictionary
with open('additional_pass.conf') as f:
line_num = 0
for line in f:
line_num += 1
add_password_dictionary = client.api_call("run-script", {"script-name" : "Add passwords and passphrases", "script" : "printf "{}" >> $FWDIR/conf/additional_pass.conf".format(line), "targets" : gw_name})
if add_password_dictionary.success:
print("The password dictionary line {} was added successfully".format(line_num))
else:
print("Failed to add the dictionary - {}".format(add_password_dictionary.error_message))
main()