Chikoro APIClientArgs ine basa rekubatanidza paramita kune API server, uye kirasi APIClient ine basa rekudyidzana neiyo API.
Kusarudza kubatanidza parameters
Kutsanangura akasiyana ma paramita ekubatanidza kuAPI, unofanirwa kugadzira muenzaniso wekirasi APIClientArgs. Muchidimbu, maparamita ayo anofanotsanangurwa uye kana achimhanyisa script pane control server, haadi kutaurwa.
client_args = APIClientArgs()
Asi kana uchimhanya pane wechitatu-bato rinogamuchira, iwe unofanirwa kutsanangura kanenge IP kero kana zita rekutambira reiyo API server (inozivikanwawo seyo manejimendi server). Mumuenzaniso uri pazasi, tinotsanangura iyo sevha yekubatanidza paramende uye tinoipa iyo IP kero ye server manejimendi setambo.
Ngatitarisei ese ma parameter uye maitiro avo ekutanga anogona kushandiswa kana achibatanidza kune API server:
Nharo dze __init__ nzira ye APIClientArgs kirasi
class APIClientArgs:
"""
This class provides arguments for APIClient configuration.
All the arguments are configured with their default values.
"""
# port is set to None by default, but it gets replaced with 443 if not specified
# context possible values - web_api (default) or gaia_api
def __init__(self, port=None, fingerprint=None, sid=None, server="127.0.0.1", http_debug_level=0,
api_calls=None, debug_file="", proxy_host=None, proxy_port=8080,
api_version=None, unsafe=False, unsafe_auto_accept=False, context="web_api"):
self.port = port
# management server fingerprint
self.fingerprint = fingerprint
# session-id.
self.sid = sid
# management server name or IP-address
self.server = server
# debug level
self.http_debug_level = http_debug_level
# an array with all the api calls (for debug purposes)
self.api_calls = api_calls if api_calls else []
# name of debug file. If left empty, debug data will not be saved to disk.
self.debug_file = debug_file
# HTTP proxy server address (without "http://")
self.proxy_host = proxy_host
# HTTP proxy port
self.proxy_port = proxy_port
# Management server's API version
self.api_version = api_version
# Indicates that the client should not check the server's certificate
self.unsafe = unsafe
# Indicates that the client should automatically accept and save the server's certificate
self.unsafe_auto_accept = unsafe_auto_accept
# The context of using the client - defaults to web_api
self.context = context
Ini ndinotenda kuti nharo dzinogona kushandiswa muzviitiko zve APIClientArgs kirasi ine intuitive kune Check Point maneja uye haidi mamwe maratidziro.
Kubatanidza kuburikidza ne APIClient uye mamiriro maneja
Chikoro APIClient Nzira iri nyore yekuishandisa ndeye kuburikidza nemaneja wemamiriro. Zvose zvinoda kupfuudzwa kune imwe muenzaniso ye APIClient kirasi ndiyo mitsara yekubatanidza iyo yakatsanangurwa munhanho yapfuura.
with APIClient(client_args) as client:
Maneja wemamiriro ekunze haaite otomatiki kufona kune iyo API server, asi ichaita yekufona yekubuda kana yabuda. Kana nekuda kwechimwe chikonzero kubuda kusingadiwe mushure mekupedza kushanda neAPI mafoni, unofanirwa kutanga kushanda usingashandisi maneja wemamiriro ezvinhu:
client = APIClient(clieng_args)
Muedzo wekubatanidza
Iyo iri nyore nzira yekutarisa kana iyo yekubatanidza inosangana neyakatarwa ma parameter kushandisa nzira check_fingerprint. Kana iyo yekusimbisa iyo sha1 hash sum yezvigunwe zve server API chitupa ikatadza (nzira yakadzoserwa venhema), saka izvi zvinowanzokonzerwa nezvinetso zvekubatanidza uye tinogona kumisa kuitwa kwechirongwa (kana kupa mushandisi mukana wekugadzirisa data rekubatanidza):
if client.check_fingerprint() is False:
print("Could not get the server's fingerprint - Check connectivity with the server.")
exit(1)
Ndapota cherechedza kuti mune ramangwana kirasi APIClient ichatarisa yega API kufona (maitiro api_call ΠΈ api_query, tichataura nezvavo zvishoma mberi) sha1 chitupa chemunwe pane API server. Asi kana, kana uchitarisa sha1 chigunwe cheiyo API server chitupa, chikanganiso chinoonekwa (chitupa hachizivikanwe kana chakashandurwa), nzira yacho. check_fingerprint ichapa mukana wekuwedzera / kushandura ruzivo pamusoro payo pamushini wemuno otomatiki. Cheki iyi inogona kuvharwa zvachose (asi izvi zvinogona kukurudzirwa chete kana zvinyorwa zvichiitwa paAPI server pachayo, painobatana ne127.0.0.1), uchishandisa APIClientArgs nharo - unsafe_auto_accept (ona zvimwe nezve APIClientArgs pakutanga mu "Kutsanangura maparamita ekubatanidza").
Sarudzo uchishandisa kiyi yeapi (inotsigirwa kutanga kubva kune manejimendi shanduro R80.40/Management API v1.6, "3TsbPJ8ZKjaJGvFyoFqHFA==" iyi ndiyo API kiyi kukosha kune mumwe wevashandisi pane manejimendi server ine API kiyi yekubvumidza nzira):
Iyi nzira inoshanda kune chero mafoni. Isu tinofanirwa kupfuudza chikamu chekupedzisira cheiyo api kufona uye kubhadhara mumutumbi wekukumbira kana zvichidikanwa. Kana payload isina chinhu, saka haigone kutamiswa zvachose:
Muchiitiko ichi, zvingave zvakakosha kuchinja kukosha kwechimiro chekubudirira. Nehunyanzvi, iwe unogona kuisa chero chinhu ipapo, kunyangwe tambo yenguva dzose. Asi muenzaniso chaiwo unenge uri kuseta iyi parameter kuNhema pasi pemamwe mamiriro anoperekedza. Pazasi, teerera kune muenzaniso kana paine mabasa ari kushanda pane manejimendi server, asi isu tichafunga kuti chikumbiro ichi hachina kubudirira (tichaisa shanduko yebudiriro venhema, zvisinei nekuti iyo API kufona yakabudirira uye yakadzosa kodhi 200).
for task in task_result.data["tasks"]:
if task["status"] == "failed" or task["status"] == "partially succeeded":
task_result.set_success_status(False)
break
Kumhanyisa Python zvinyorwa paCheck Point management server
Zvose zvakafanana README.md ine ruzivo rwekuti ungamhanyisa sei zvinyorwa zvePython zvakananga kubva kune control server. Izvi zvinogona kuve nyore kana iwe usingakwanise kubatana neiyo API server kubva kune mumwe muchina. Ndakarekodha vhidhiyo yemaminetsi matanhatu mandiri kutarisa kuisa module cpapi uye maficha ekumhanyisa Python scripts pane control server. Semuenzaniso, script inomhanya iyo inogadzirisa kugadziridzwa kwegedhi idzva rebasa rakadai se network auditing. Security CheckUp. Pakati pezvinhu zvandaifanira kubata nazvo: basa racho harisati raonekwa muPython 2.7 chiyamuro, saka kugadzirisa ruzivo rwunopinda nemushandisi, basa rinoshandiswa mbishi_input. Zvikasadaro, iyo kodhi yakafanana neyekutanga kubva kune mamwe machina, chete zviri nyore kushandisa basa racho login_as_root, kuitira kuti usataure zita rako rekushandisa, password uye IP kero ye server manejimendi zvakare.
Script yekukurumidza kuseta yeSecurity CheckUp
from __future__ import print_function
import getpass
import sys, os
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
from cpapi import APIClient, APIClientArgs
def main():
with APIClient() as client:
# if client.check_fingerprint() is False:
# print("Could not get the server's fingerprint - Check connectivity with the server.")
# exit(1)
login_res = client.login_as_root()
if login_res.success is False:
print("Login failed:n{}".format(login_res.error_message))
exit(1)
gw_name = raw_input("Enter the gateway name:")
gw_ip = raw_input("Enter the gateway IP address:")
if sys.stdin.isatty():
sic = getpass.getpass("Enter one-time password for the gateway(SIC): ")
else:
print("Attention! Your password will be shown on the screen!")
sic = raw_input("Enter one-time password for the gateway(SIC): ")
version = raw_input("Enter the gateway version(like RXX.YY):")
add_gw = client.api_call("add-simple-gateway", {'name' : gw_name, 'ipv4-address' : gw_ip, 'one-time-password' : sic, 'version': version.capitalize(), 'application-control' : 'true', 'url-filtering' : 'true', 'ips' : 'true', 'anti-bot' : 'true', 'anti-virus' : 'true', 'threat-emulation' : 'true'})
if add_gw.success and add_gw.data['sic-state'] != "communicating":
print("Secure connection with the gateway hasn't established!")
exit(1)
elif add_gw.success:
print("The gateway was added successfully.")
gw_uid = add_gw.data['uid']
gw_name = add_gw.data['name']
else:
print("Failed to add the gateway - {}".format(add_gw.error_message))
exit(1)
change_policy = client.api_call("set-access-layer", {"name" : "Network", "applications-and-url-filtering": "true", "content-awareness": "true"})
if change_policy.success:
print("The policy has been changed successfully")
else:
print("Failed to change the policy- {}".format(change_policy.error_message))
change_rule = client.api_call("set-access-rule", {"name" : "Cleanup rule", "layer" : "Network", "action": "Accept", "track": {"type": "Detailed Log", "accounting": "true"}})
if change_rule.success:
print("The cleanup rule has been changed successfully")
else:
print("Failed to change the cleanup rule- {}".format(change_rule.error_message))
# publish the result
publish_res = client.api_call("publish", {})
if publish_res.success:
print("The changes were published successfully.")
else:
print("Failed to publish the changes - {}".format(install_tp_policy.error_message))
install_access_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'true', "threat-prevention" : 'false', "targets" : gw_uid})
if install_access_policy.success:
print("The access policy has been installed")
else:
print("Failed to install access policy - {}".format(install_tp_policy.error_message))
install_tp_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'false', "threat-prevention" : 'true', "targets" : gw_uid})
if install_tp_policy.success:
print("The threat prevention policy has been installed")
else:
print("Failed to install threat prevention policy - {}".format(install_tp_policy.error_message))
# add passwords and passphrases to dictionary
with open('additional_pass.conf') as f:
line_num = 0
for line in f:
line_num += 1
add_password_dictionary = client.api_call("run-script", {"script-name" : "Add passwords and passphrases", "script" : "printf "{}" >> $FWDIR/conf/additional_pass.conf".format(line), "targets" : gw_name})
if add_password_dictionary.success:
print("The password dictionary line {} was added successfully".format(line_num))
else:
print("Failed to add the dictionary - {}".format(add_password_dictionary.error_message))
main()