Ke na le bonnete ba hore bohle ba kileng ba sebetsa le bona , ho ne ho e-na le tletlebo ka ho se khonehe ho hlophisa tlhophiso ho tsoa moleng oa taelo. Sena se makatsa haholo ho ba kileng ba sebetsa le Cisco ASA, moo ntho e 'ngoe le e' ngoe e ka lokisoang ho CLI. Ka Check Point ke tsela e 'ngoe - litlhophiso tsohle tsa ts'ireletso li entsoe ka mokhoa o ikhethileng ho tsoa ho sebopeho sa graphical. Leha ho le joalo, lintho tse ling ha li bonolo ho li etsa ka GUI (esita le e le 'ngoe e bonolo joalo ka Check Point's). Ka mohlala, mosebetsi oa ho eketsa mabotho a macha a 100 kapa marang-rang a fetoha mokhoa o telele le o tenang. Bakeng sa ntho e 'ngoe le e' ngoe u tla tlameha ho tobetsa mouse ka makhetlo a 'maloa ebe u kenya aterese ea IP. Hoa tšoana le ho theha sehlopha sa libaka kapa ho nolofalletsa / ho thibela li-signature tsa IPS. Tabeng ena, ho na le monyetla o moholo oa ho etsa phoso.
“Mohlolo” o ile oa etsahala haufinyane tjena. Ka ho lokolloa ha phetolelo e ncha Gaia R80 monyetla o ile oa phatlalatsoa Tšebeliso ea API, e bulang menyetla e mengata ea ho iketsetsa litlhophiso, tsamaiso, tlhokomelo, joalo-joalo. Joale u ka:
- theha lintho;
- eketsa kapa edita manane a phihlello;
- nolofalletsa/ tima li-blades;
- lokisa marang-rang a marang-rang;
- kenya maano;
- le tse ling tse ngata.
Ho bua ’nete, ha ke utloisise hore na litaba tsena li ile tsa feta joang ho Habr. Sehloohong sena re tla hlalosa ka bokhutšoanyane mokhoa oa ho sebelisa API le ho fana ka mehlala e 'maloa e sebetsang. Litlhophiso tsa CheckPoint u sebelisa mangolo.
Ke kopa ho etsa pehelo hang-hang hore API e sebelisoa feela bakeng sa seva sa Tsamaiso. Tseo. Ho ntse ho sa khonehe ho laola liheke ntle le seva sa Tsamaiso.
Ke mang ea ka sebelisang API ee ka molao-motheo?
- Batsamaisi ba sistimi ba batlang ho nolofatsa kapa ho iketsetsa mesebetsi ea tlhophiso ea Check Point;
- Likhamphani tse batlang ho kopanya Check Point le litharollo tse ling (lits'ebetso tsa virtualization, sistimi ea litekete, litsamaiso tsa taolo ea tlhophiso, joalo-joalo);
- Bahokahanyi ba sistimi ba batlang ho tiisa litlhophiso kapa ho theha lihlahisoa tse ling tse amanang le Check Point.
Morero o tloaelehileng
Kahoo, a re nahaneng ka morero o tloaelehileng o nang le Check Point:
Joalo ka tloaelo re na le heke (SG), seva sa tsamaiso (SMS) le console ea admin (SmartConsole). Tabeng ena, mokhoa o tloaelehileng oa tlhophiso ea heke o shebahala tjena:
Tseo. Pele u lokela ho matha khomphuteng ya motsamaisi SmartConsole, eo ka eona re hokelang ho seva sa Tsamaiso (SMS). Litlhophiso tsa ts'ireletso li etsoa ho SMS, ebe li sebelisoa feela (kenya leano) ho ea hekeng (SG).
Ho sebelisa Tsamaiso ea API, re ka tlola ntlha ea pele (ho qala SmartConsole) le ho e sebelisa Litaelo tsa API ka kotloloho ho seva sa Tsamaiso (SMS).
Mekhoa ea ho sebelisa API
Ho na le mekhoa e mene ea mantlha ea ho hlophisa tlhophiso u sebelisa API:
1) Ho sebelisa sesebelisoa sa mgmt_cli
Mohlala - # mgmt_cli eketsa lebitso la moamoheli1 ip-aterese 192.168.2.100
Taelo ena e tsamaisoa ho tsoa molaong oa taelo oa Seva ea Tsamaiso (SMS). Ke nahana hore syntax ea taelo e hlakile - host1 e entsoe ka aterese 192.168.2.100.
2) Kenya litaelo tsa API ka klish (ka mokhoa oa litsebi)
Ha e le hantle, sohle seo u hlokang ho se etsa ke ho kena moleng oa taelo (ho kena ha mgmt) tlas'a akhaonto e sebelisoang ha u hokela ka SmartConsole (kapa ak'haonte ea motso). Joale u ka kena Litaelo tsa API (tabeng ena ha ho hlokahale hore u sebelise lisebelisoa pele ho taelo e 'ngoe le e' ngoe mgmt_cli). O ka etsa e felletseng Lingoloa tsa BASH. Mohlala oa mongolo oo moamoheli a o etsang:
Bash script
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
Haeba u thahasella, u ka shebella video e tsamaisanang le eona:
3) Ka SmartConsole ka ho bula fensetere ea CLI
Seo u hlokang ho se etsa feela ke ho bula fensetere CLI ho toba ho tloha SmartConsole, joalokaha ho bontšitsoe setšoantšong se ka tlase.
Fesetereng ena, o ka qala hang-hang ho kenya litaelo tsa API.
4) Litšebeletso tsa Websaete. Sebelisa kopo ea HTTPS Post (REST API)
Ka maikutlo a rona, ena ke e 'ngoe ea mekhoa e tšepisang ka ho fetisisa, hobane e o lumella ho "haha" lits'ebetso tsohle ho latela tsamaiso ea seva ea tsamaiso (ke masoabi bakeng sa tautology). Ka tlase re tla sheba mokhoa ona ka ho qaqileng haholoanyane.
Ho akaretsa:
- API + cli e loketseng haholoanyane bakeng sa batho ba tloaetseng Cisco;
- API + khetla bakeng sa ho sebelisa mangolo le ho etsa mesebetsi e tloaelehileng;
- LING API bakeng sa boiketsetso.
E nolofalletsa API
Ka ho sa feleng, API e nolofalloa ho li-server tsa tsamaiso tse nang le ho feta 4GB ea RAM le litlhophiso tse ikemetseng tse nang le ho feta 8GB ea RAM. O ka sheba boemo ka ho sebelisa taelo: boemo ba api
Haeba ho bonahala eka api e holofetse, ho bonolo haholo ho e nolofalletsa ka SmartConsole: Laola & Litlhophiso > Li-Blades > Tsamaiso ea API > Litlhophiso tse tsoetseng pele
Ebe u phatlalatsa (phatlalatsa) liphetoho ebe o tsamaisa taelo api restart.
Likopo tsa webo + Python
Ho phethahatsa litaelo tsa API, u ka sebelisa likopo tsa Webo u sebelisa python le lilaeborari likopo, json. Ka kakaretso, sebopeho sa kopo ea webo se na le likarolo tse tharo:
1)Aterese
(https://<managemenet server>:<port>/web_api/<command>)
2) Lihlooho tsa HTTP
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
3) Kopa mojaro oa moputso
Mongolo ka mokhoa oa JSON o nang le liparamente tse fapaneng
Mohlala oa ho bitsa litaelo tse fapaneng:
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == “”:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
Mona ke mesebetsi e 'maloa e tloaelehileng eo hangata u kopanang le eona ha u tsamaisa Check Point.
1) Mohlala oa tumello le mesebetsi ea ho tsoa:
Script
payload = {‘user’: ‘your_user’, ‘password’ : ‘your_password’}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) Ho bulela li-blades le ho theha marang-rang:
Script
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
3) Ho fetola melao ea firewall:
Script
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
4) Ho eketsa lera la kopo:
Script
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) Phatlalatsa 'me u behe leano, hlahloba ts'ebetsong ea taelo (task-id):
Script
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) Eketsa moamoheli:
Script
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
7) Kenya sebaka sa Thibelo ea Kotsi:
Script
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
8) Sheba lenane la mananeo
Script
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
9) Theha profaele e ncha:
Script
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
10) Fetola ketso bakeng sa signature ea IPS:
Script
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) Kenya tšebeletso ea hau:
Script
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) Kenya sehlopha, sebaka kapa sehlopha:
Script
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
Ho feta moo, ka thuso WebAPI o ka eketsa le ho tlosa marang-rang, mabotho, likarolo tsa phihlello, joalo-joalo. Li-blades li ka etsoa ka mokhoa o ikhethileng Antivirus, Antibot, IPS, VPN. Hoa khoneha ho kenya lilaesense u sebelisa taelo run-script. Litaelo tsohle tsa Check Point API li ka fumanoa mona .
Sheba Point API + Postman
Hape ho bonolo ho e sebelisa Check Point Web API mmoho le . Postman e na le mefuta ea komporo ea Windows, Linux le MacOS. Ho feta moo, ho na le plugin ea Google Chrome. Sena ke seo re tla se sebelisa. Pele u hloka ho fumana Postman ho Google Chrome Store ebe u kenya:
Ha re sebelisa sesebelisoa sena, re tla khona ho hlahisa likopo tsa Websaete ho Check Point API. E le hore u se ke ua hopola litaelo tsohle tsa API, hoa khoneha ho kenya seo ho thoeng ke likoleke (li-templates), tse seng li ntse li e-na le litaelo tsohle tse hlokahalang:
u tla fumana pokello etsoe R80.10. Kamora ho kenya kantle, litempele tsa taelo ea API li tla fumaneha ho rona:
Ka maikutlo a ka, sena se loketse haholo. U ka qala ho etsa lits'ebetso ka potlako u sebelisa Check Point API.
Lekola Ntlha + E utloahalang
Ke kopa hape ho hlokomela hore ho na le Ea nahanang bakeng sa CheckPoint API. Module e o lumella ho laola litlhophiso, empa ha e bonolo ho rarolla mathata a sa tloaelehang. Ho ngola mangolo ka puo efe kapa efe ea lenaneo ho fana ka tharollo e bonolo le e bonolo haholoanyane.
fihlela qeto e
Mona ke moo mohlomong re tla qeta tlhahlobo ea rona e khutšoane ea Check Point API. Ka maikutlo a ka, tšobotsi ena e ne e letetsoe nako e telele ebile e hlokahala. Ho hlaha ha API ho bula menyetla e pharaletseng haholo bakeng sa batsamaisi ba tsamaiso le bahokahanyi ba tsamaiso ba sebetsang ka lihlahisoa tsa Check Point. Orchestration, automation, SIEM maikutlo... tsohle lia khoneha hona joale.
PS Lingoloa tse ling tse mabapi le joalo ka kamehla u ka e fumana ho blog ea rona kapa ho blog ho .
PSS Bakeng sa lipotso tsa tekheniki tse amanang le ho theha Check Point, o ka
Ke basebelisi ba ngolisitsoeng feela ba ka kenyang letsoho phuputsong. ka kopo.
Na u rera ho sebelisa API?
-
70,6%Ee12
-
23,5%No4
-
5,9%E se e ntse e sebelisa1
Basebelisi ba 17 ba ile ba khetha. Basebelisi ba 3 ba hanne.
Source: www.habr.com