Ndine chokwadi chekuti vese vakamboshanda navo , pakaita chichemo kusagoneka kwekugadzirisa gadziriso kubva kumutsara wekuraira. Izvi zvinonyanya kushamisa kune avo vakamboshanda neCisco ASA, uko zvachose zvese zvinogona kugadzirwa muCLI. NeCheck Point ndiyo imwe nzira yakatenderedza - ese magadzirirwo ekuchengetedza akaitwa chete kubva kune graphical interface. Nekudaro, zvimwe zvinhu hazvina kukwana kuita kuburikidza neGUI (kunyangwe imwe iri nyore seyeCheck Point). Semuenzaniso, basa rekuwedzera 100 mauto matsva kana network inoshanduka kuita yakareba uye inonetesa maitiro. Pachinhu chimwe nechimwe uchafanirwa kudzvanya mbeva kakawanda uye woisa iyo IP kero. Izvo zvakafanana zvinoenda pakugadzira boka resaiti kana misa inogonesa / kuremadza IPS siginecha. Muchiitiko ichi, pane mukana mukuru wekuita chikanganiso.
βChishamisoβ chakaitika nguva pfupi yapfuura. Nekuburitswa kweshanduro itsva Gaia R80 mukana wakaziviswa Kushandisa API, iyo inovhura mikana yakafara yeautomating marongero, manejimendi, kutarisa, nezvimwe. Iye zvino unogona:
- kugadzira zvinhu;
- wedzera kana gadzirisa zvinyorwa zvekuwana;
- gonesa/dzima mashizha;
- gadzirisa network interfaces;
- kuisa mitemo;
- uye nezvimwe zvakawanda.
Kutaura chokwadi, handinzwisise kuti nhau idzi dzakapfuura sei naHabr. Muchikamu chino tichatsanangura muchidimbu nzira yekushandisa API uye nekupa akati wandei mienzaniso inoshanda. CheckPoint marongero uchishandisa zvinyorwa.
Ndinoda kuita reservation ipapo ipapo kuti API inoshandiswa chete kune Management server. Avo. Izvo hazvigoneke kubata magedhi pasina Management server.
Ndiani anogona kushandisa API iyi musimboti?
- Masisitimu maneja anoda kurerutsa kana otomatiki routine Check Point kumisikidza mabasa;
- Makambani anoda kubatanidza Check Point nedzimwe mhinduro (virtualization system, matikiti masisitimu, masisitimu ekugadzirisa, nezvimwewo);
- Vanobatanidza sisitimu vanoda kumisikidza marongero kana kugadzira zvimwe zvigadzirwa zvine chekuita neCheck Point.
Typical scheme
Saka, ngatifungei yakajairika chirongwa neCheck Point:
Semazuva ese tine gedhi (SG), manejimendi server (SMS) uye admin console (SmartConsole) Mune ino kesi, yakajairwa gedhi kumisikidzwa maitiro anoita seizvi:
Avo. Kutanga iwe unoda kumhanya pakombiyuta yemutungamiri SmartConsole, iyo yatinobatanidza nayo kune Management server (SMS) Zvigadziriso zvekuchengetedza zvinogadzirwa paSMS, uye chete ipapo inoshandiswa (install policy) kuenda kugedhi (SG).
Paunoshandisa Management API, tinogona kusvetuka poindi yekutanga (kutanga SmartConsole) uye shandisa API mirairo zvakananga kune Management server (SMS).
Nzira dzekushandisa API
Pane nzira ina huru dzekugadzirisa dhizaini uchishandisa API:
1) Kushandisa iyo mgmt_cli utility
Muenzaniso - # mgmt_cli wedzera zita remugamuchiri host1 ip-kero 192.168.2.100
Uyu murairo unomhanya kubva kune Management Server (SMS) yekuraira mutsara. Ndinofunga kuti syntax yemurairo yakajeka - host1 inogadzirwa nekero 192.168.2.100.
2) Pinda API mirairo kuburikidza neclish (mune nyanzvi mode)
Chaizvoizvo, zvese zvaunoda kuti uite kupinda mumutsara wekuraira (mgmt login) pasi peakaundi iyo inoshandiswa paunenge uchibatanidza neSmartConsole (kana midzi account). Ipapo unogona kupinda API mirairo (munyaya iyi hapana chikonzero chekushandisa zvinoshandiswa pamberi pemurairo wega wega mgmt_cli) Iwe unogona kugadzira yakazara-yakazara BASH zvinyorwa. Muenzaniso wechinyorwa chinogadzirwa nemugamuchiri:
Bash script
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
Kana iwe uchifarira, unogona kuona inoenderana vhidhiyo:
3) Via SmartConsole nekuvhura iyo CLI hwindo
Zvese zvaunoda kuita kuvhura hwindo CLI zvakananga kubva SmartConsole, sezvinoratidzwa mumufananidzo uri pasi apa.
Muhwindo iri, unogona kutanga kupinda API mirairo.
4) Web Services. Shandisa HTTPS Post chikumbiro (REST API)
Mune maonero edu, iyi ndiyo imwe yenzira dzinovimbisa, nokuti inobvumidza iwe "kuvaka" ese maapplication anoenderana manejimendi server manejimendi (ndine hurombo netautology). Pazasi isu tichatarisa nzira iyi mune zvishoma zvakadzama.
Kupfupikisa:
- API + cli zvakanyanya kukodzera kune vanhu vakajaira kuCisco;
- API + shell pakushandisa zvinyorwa uye kuita mabasa enguva dzose;
- VAMWE API zve otomatiki.
Kugonesa iyo API
Nekumisikidza, iyo API inogoneswa pamasevha ekutonga ane anopfuura 4GB ye RAM uye akamira masisitimu ane anopfuura 8GB ye RAM. Unogona kutarisa chimiro uchishandisa murairo: api status
Kana zvikaitika kuti api yakaremara, saka zviri nyore kuigonesa kuburikidza neSmartConsole: Manage & Settings > Blades > Management API > Advanced Settings
Wobva waburitsa (Publish) anochinja uye womhanya kuraira api restart.
Zvikumbiro zveWebhu + Python
Kuita mirairo yeAPI, unogona kushandisa zvikumbiro zveWebhu uchishandisa Python nemaraibhurari chikumbiro, json. Kazhinji, chimiro chechikumbiro chewebhu chine zvikamu zvitatu:
1)Kero
(https://<managemenet server>:<port>/web_api/<command>)
2) Misoro yeHTTP
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
3) Kumbira kubhadhara
Mavara ari muJSON fomati ine maparameta akasiyana
Muenzaniso wekudaidza mirairo yakasiyana:
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == ββ:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
Heano mashoma akajairika mabasa aunowanzo sangana nawo paunenge uchitungamira Check Point.
1) Muenzaniso wemvumo uye mabasa ekubuda:
Script
payload = {βuserβ: βyour_userβ, βpasswordβ : βyour_passwordβ}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) Kubatidza mablades uye kumisikidza network:
Script
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
3) Kuchinja mitemo ye firewall:
Script
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
4) Kuwedzera Application layer:
Script
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) Shamba uye isa mutemo, tarisa kuitiswa kwekuraira (basa-id):
Script
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) Wedzera mugamuchiri:
Script
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
7) Wedzera Nzvimbo Yekudzivirira Kutyisidzira:
Script
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
8) Ona rondedzero yezvikamu
Script
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
9) Gadzira chimiro chitsva:
Script
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
10) Shandura chiito cheiyo IPS siginecha:
Script
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) Wedzera sevhisi yako:
Script
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) Wedzera chikamu, saiti kana boka:
Script
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
Mukuwedzera, nerubatsiro Webhu API iwe unogona kuwedzera nekubvisa network, mauto, mabasa ekuwana, nezvimwe. Mablades anogona kugadzirwa Antivirus, Antibot, IPS, VPN. Zvinotogoneka kuisa marezinesi uchishandisa murairo run-script. Yese Check Point API mirairo inogona kuwanikwa pano .
Tarisa Point API + Postman
Zvakare nyore kushandisa Check Point Web API pamwe chete na . Postman ine desktop shanduro dzeWindows, Linux uye MacOS. Mukuwedzera, kune plugin yeGoogle Chrome. Izvi ndizvo zvatichashandisa. Kutanga iwe unofanirwa kuwana Postman muGoogle Chrome Store uye isa:
Tichishandisa chishandiso ichi, tichakwanisa kugadzira zvikumbiro zveWebhu kuCheck Point API. Kuti urege kurangarira mirairo yese yeAPI, zvinokwanisika kuunza izvo zvinonzi kuunganidzwa (matemplate), ayo atova nemirairo yese inodiwa:
iwe uchawana muunganidzwa nokuti R80.10. Mushure mekutumira kunze, API yekuraira matemplate anozowanikwa kwatiri:
Mukuona kwangu, izvi zviri nyore chaizvo. Unogona kukurumidza kutanga kugadzira maapplication uchishandisa Check Point API.
Tarisa Point + Inogoneka
Ndinodawo kuziva kuti pane Anable yeCheckPoint API. Iyo module inobvumidza iwe kuti utore zvigadziriso, asi haina kunyanyonakira kugadzirisa matambudziko ekunze. Kunyora zvinyorwa mune chero mutauro wechirongwa kunopa mhinduro dzinochinjika uye dziri nyore.
mhedziso
Apa ndipo patingazopedzisa ongororo yedu pfupi yeCheck Point API. Sekuona kwangu, chimiro ichi chaive chakamirirwa kwenguva refu uye chakakosha. Kubuda kweiyo API kunovhura mikana yakafara kwazvo kune ese masystem administrator uye system integrators vanoshanda neCheck Point zvigadzirwa. Orchestration, otomatiki, SIEM mhinduro... zvese zvinogoneka izvozvi.
PS Zvimwe zvinyorwa nezve senguva dzose unogona kuzviwana pane yedu blog kana pa blog pa .
PSS Kune mibvunzo yehunyanzvi ine chekuita nekumisikidza Check Point, unogona
Vashandisi vakanyoresa chete ndivo vanogona kutora chikamu muongororo. , Munogamuchirwa.
Uri kuronga kushandisa iyo API?
-
70,6%Hongu12
-
23,5%No4
-
5,9%Watoshandisa1
17 vashandisi vakavhota. 3 vashandisi vakaramba.
Source: www.habr.com