Nguvu kamili ya mwingiliano na API hufichuliwa inapotumiwa pamoja na msimbo wa programu, inapowezekana kuzalisha maombi na zana za API za kuchanganua majibu ya API. Hata hivyo, bado haijaonekana Seti ya Maendeleo ya Programu ya Python (hapa inajulikana kama Python SDK) kwa Check Point Management API, lakini bure. Inarahisisha sana maisha ya watengenezaji na wapendaji otomatiki. Python imepata umaarufu mkubwa hivi majuzi na niliamua kujaza pengo na kukagua huduma kuu. . Nakala hii inatumika kama nyongeza bora kwa nakala nyingine kuhusu Habre . Tutaangalia jinsi ya kuandika hati kwa kutumia Python SDK na tuangalie kwa karibu utendaji mpya wa API ya Usimamizi katika toleo la 1.6 (inatumika kuanzia R80.40). Ili kuelewa kifungu hicho, utahitaji maarifa ya kimsingi ya kufanya kazi na API na Python.
Check Point inakuza API kikamilifu na kwa sasa yafuatayo yametolewa:
- - fanya kazi na seva ya kudhibiti kupitia API (na uwezo wa kutekeleza maandishi kwenye lango linalodhibitiwa na seva ya kudhibiti)
- - fanya kazi na lango la usalama
- β kufanya kazi na sanduku la mchanga katika wingu la Check Point
- - kufanya kazi na blade ya Uelewa wa Utambulisho kwenye lango
- - fanya kazi na lango la usimamizi wa lango la SMB ()
- - mwingiliano na vidhibiti vya IoT
- -fanya kazi na (Suluhisho la usalama la SD-WAN)
- -fanya kazi na
SDK ya Python kwa sasa inasaidia tu mwingiliano na API ya Usimamizi na API ya Gaia. Tutaangalia madarasa muhimu zaidi, mbinu na vigezo katika moduli hii.
Ufungaji wa moduli
Moduli cpa inasakinisha haraka na kwa urahisi kutoka na msaada pip. Maagizo ya kina ya ufungaji yanapatikana ndani . Moduli hii imebadilishwa kufanya kazi na matoleo ya Python 2.7 na 3.7. Katika nakala hii, mifano itatolewa kwa kutumia Python 3.7. Walakini, SDK ya Python inaweza kuendeshwa moja kwa moja kutoka kwa Seva ya Usimamizi wa Pointi (Usimamizi wa Smart), lakini inasaidia tu Python 2.7, kwa hivyo sehemu ya mwisho itatoa nambari ya toleo la 2.7. Mara baada ya kufunga moduli, ninapendekeza kuangalia mifano katika saraka mifano_python2 ΠΈ mifano_python3.
Anza
Ili tuweze kufanya kazi na vipengele vya moduli ya cpapi, tunahitaji kuagiza kutoka kwa moduli cpa angalau madarasa mawili yanayohitajika:
APIClient ΠΈ APIClientArgs
from cpapi import APIClient, APIClientArgs
Hatari APIClientArgs inawajibika kwa vigezo vya uunganisho kwa seva ya API, na darasa APIClient inawajibika kwa mwingiliano na API.
Kuamua vigezo vya uunganisho
Ili kufafanua vigezo mbalimbali vya kuunganisha kwenye API, unahitaji kuunda mfano wa darasa APIClientArgs. Kimsingi, vigezo vyake vimefafanuliwa awali na wakati wa kuendesha hati kwenye seva ya kudhibiti, haziitaji kuainishwa.
client_args = APIClientArgs()Lakini unapoendesha kwenye seva pangishi ya wahusika wengine, unahitaji kutaja angalau anwani ya IP au jina la mwenyeji wa seva ya API (pia inajulikana kama seva ya usimamizi). Katika mfano hapa chini, tunafafanua parameta ya uunganisho wa seva na kuipatia anwani ya IP ya seva ya usimamizi kama kamba.
client_args = APIClientArgs(server='192.168.47.241')Wacha tuangalie vigezo vyote na maadili yao ya msingi ambayo yanaweza kutumika wakati wa kuunganishwa na seva ya API:
Hoja za mbinu ya __init__ ya darasa la APIClientArgs
class APIClientArgs:
"""
This class provides arguments for APIClient configuration.
All the arguments are configured with their default values.
"""
# port is set to None by default, but it gets replaced with 443 if not specified
# context possible values - web_api (default) or gaia_api
def __init__(self, port=None, fingerprint=None, sid=None, server="127.0.0.1", http_debug_level=0,
api_calls=None, debug_file="", proxy_host=None, proxy_port=8080,
api_version=None, unsafe=False, unsafe_auto_accept=False, context="web_api"):
self.port = port
# management server fingerprint
self.fingerprint = fingerprint
# session-id.
self.sid = sid
# management server name or IP-address
self.server = server
# debug level
self.http_debug_level = http_debug_level
# an array with all the api calls (for debug purposes)
self.api_calls = api_calls if api_calls else []
# name of debug file. If left empty, debug data will not be saved to disk.
self.debug_file = debug_file
# HTTP proxy server address (without "http://")
self.proxy_host = proxy_host
# HTTP proxy port
self.proxy_port = proxy_port
# Management server's API version
self.api_version = api_version
# Indicates that the client should not check the server's certificate
self.unsafe = unsafe
# Indicates that the client should automatically accept and save the server's certificate
self.unsafe_auto_accept = unsafe_auto_accept
# The context of using the client - defaults to web_api
self.context = contextNinaamini kuwa hoja zinazoweza kutumika katika hali ya darasa la APIClientArgs ni angavu kwa wasimamizi wa Check Point na hazihitaji maoni ya ziada.
Inaunganisha kupitia APIClient na meneja wa muktadha
Hatari APIClient Njia rahisi zaidi ya kuitumia ni kupitia meneja wa muktadha. Yote ambayo yanahitaji kupitishwa kwa mfano wa darasa la APIClient ni vigezo vya uunganisho ambavyo vilifafanuliwa katika hatua ya awali.
with APIClient(client_args) as client:
Kidhibiti muktadha hatapiga simu ya kuingia kiotomatiki kwa seva ya API, lakini itatoa simu ya kuondoka wakati wa kuiondoa. Ikiwa kwa sababu fulani kuondoka hakuhitajiki baada ya kumaliza kufanya kazi na simu za API, unahitaji kuanza kufanya kazi bila kutumia meneja wa muktadha:
client = APIClient(clieng_args)Kuangalia unganisho
Njia rahisi zaidi ya kuangalia ikiwa muunganisho unakidhi vigezo maalum ni kutumia mbinu check_fingerprint. Ikiwa uthibitishaji wa jumla ya hashi ya sha1 kwa alama ya vidole ya cheti cha API ya seva hautafaulu (njia iliyorudishwa Uongo), basi hii kawaida husababishwa na shida za unganisho na tunaweza kusimamisha utekelezaji wa programu (au kumpa mtumiaji fursa ya kusahihisha data ya unganisho):
if client.check_fingerprint() is False:
print("Could not get the server's fingerprint - Check connectivity with the server.")
exit(1)
Tafadhali kumbuka kuwa katika siku zijazo darasa APIClient itaangalia kila simu ya API (mbinu api_call ΠΈ api_query, tutazungumza juu yao mbele kidogo) cheti cha alama ya vidole cha sha1 kwenye seva ya API. Lakini ikiwa, wakati wa kuangalia alama ya vidole ya sha1 ya cheti cha seva ya API, hitilafu hugunduliwa (cheti haijulikani au imebadilishwa), njia hiyo. check_fingerprint itatoa fursa ya kuongeza/kubadilisha taarifa kuihusu kwenye mashine ya ndani kiotomatiki. Cheki hiki kinaweza kulemazwa kabisa (lakini hii inaweza tu kupendekezwa ikiwa hati zinaendeshwa kwenye seva ya API yenyewe, wakati wa kuunganishwa na 127.0.0.1), kwa kutumia hoja ya APIClientArgs - kubali_bila_salama_otomatiki (tazama zaidi kuhusu APIClientArgs mapema katika "Kufafanua vigezo vya muunganisho").
client_args = APIClientArgs(unsafe_auto_accept=True)Ingia kwenye seva ya API
Π£ APIClient kuna njia nyingi kama 3 za kuingia kwenye seva ya API, na kila moja inaelewa maana SID(kitambulisho cha kikao), ambacho hutumika kiatomati katika kila simu inayofuata ya API kwenye kichwa (jina katika kichwa cha parameta hii ni X-chkp-sid), kwa hivyo hakuna haja ya kusindika zaidi parameta hii.
njia ya kuingia
Chaguo kutumia kuingia na nenosiri (kwa mfano, jina la mtumiaji admin na nenosiri 1q2w3e hupitishwa kama hoja za muda):
login = client.login('admin', '1q2w3e') Vigezo vya ziada vya hiari vinapatikana pia katika njia ya kuingia; haya hapa ni majina yao na maadili chaguo-msingi:
continue_last_session=False, domain=None, read_only=False, payload=NoneIngia_kwa_njia_ya_api
Chaguo kutumia kitufe cha api (inatumika kuanzia toleo la usimamizi R80.40/API ya Usimamizi v1.6, "3TsbPJ8ZKjaJGvFyoFqHFA==" hii ndio dhamana ya ufunguo wa API kwa mmoja wa watumiaji kwenye seva ya usimamizi na njia ya uidhinishaji wa ufunguo wa API):
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==') Katika mbinu ingia_kwa_ufunguo_wa_api vigezo sawa vya hiari vinapatikana kama katika njia login.
njia ya kuingia_kama_mzizi
Chaguo la kuingia kwa mashine ya ndani na seva ya API:
login = client.login_as_root()Kuna vigezo viwili tu vya hiari vinavyopatikana kwa njia hii:
domain=None, payload=NoneNa hatimaye API inajiita
Tuna chaguo mbili za kupiga simu za API kupitia mbinu api_call ΠΈ api_query. Wacha tujue ni tofauti gani kati yao.
api_call
Njia hii inatumika kwa simu yoyote. Tunahitaji kupitisha sehemu ya mwisho ya simu ya api na upakiaji katika shirika la ombi ikiwa ni lazima. Ikiwa mzigo ni tupu, basi hauwezi kuhamishwa hata kidogo:
api_versions = client.api_call('show-api-versions') Pato la ombi hili chini ya kata:
In [23]: api_versions
Out[23]:
APIResponse({
"data": {
"current-version": "1.6",
"supported-versions": [
"1",
"1.1",
"1.2",
"1.3",
"1.4",
"1.5",
"1.6"
]
},
"res_obj": {
"data": {
"current-version": "1.6",
"supported-versions": [
"1",
"1.1",
"1.2",
"1.3",
"1.4",
"1.5",
"1.6"
]
},
"status_code": 200
},
"status_code": 200,
"success": true
})
show_host = client.api_call('show-host', {'name' : 'h_8.8.8.8'})Pato la ombi hili chini ya kata:
In [25]: show_host
Out[25]:
APIResponse({
"data": {
"color": "black",
"comments": "",
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"groups": [],
"icon": "Objects/host",
"interfaces": [],
"ipv4-address": "8.8.8.8",
"meta-info": {
"creation-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"creator": "admin",
"last-modifier": "admin",
"last-modify-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"lock": "unlocked",
"validation-state": "ok"
},
"name": "h_8.8.8.8",
"nat-settings": {
"auto-rule": false
},
"read-only": false,
"tags": [],
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
},
"res_obj": {
"data": {
"color": "black",
"comments": "",
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"groups": [],
"icon": "Objects/host",
"interfaces": [],
"ipv4-address": "8.8.8.8",
"meta-info": {
"creation-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"creator": "admin",
"last-modifier": "admin",
"last-modify-time": {
"iso-8601": "2020-05-01T21:49+0300",
"posix": 1588358973517
},
"lock": "unlocked",
"validation-state": "ok"
},
"name": "h_8.8.8.8",
"nat-settings": {
"auto-rule": false
},
"read-only": false,
"tags": [],
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
},
"status_code": 200
},
"status_code": 200,
"success": true
})
api_query
Acha nihifadhi mara moja kwamba njia hii inatumika tu kwa simu ambazo matokeo yake yanajumuisha kukabiliana. Hitimisho kama hilo hutokea wakati ina au inaweza kuwa na kiasi kikubwa cha habari. Kwa mfano, hili linaweza kuwa ombi la orodha ya vipengee vyote vilivyoundwa kwenye seva ya usimamizi. Kwa maombi kama haya, API inarudisha orodha ya vitu 50 kwa chaguo-msingi (unaweza kuongeza kikomo hadi vitu 500 kwenye jibu). Na ili sio kuvuta habari mara kadhaa, kubadilisha parameter ya kukabiliana katika ombi la API, kuna njia ya api_query ambayo hufanya kazi hii moja kwa moja. Mifano ya simu ambapo njia hii inahitajika: vipindi vya maonyesho, wapandishaji-onyesho, mitandao ya maonyesho, kadi za maonyesho, vikundi vya maonyesho, masafa ya anwani, onyesho-lango-rahisi, makundi-rahisi, majukumu ya kufikia onyesho, wateja wanaoaminika, vifurushi vya maonyesho. Kwa kweli, tunaona maneno ya wingi kwa jina la simu hizi za API, kwa hivyo simu hizi zitakuwa rahisi kushughulikia api_query
show_hosts = client.api_query('show-hosts') Pato la ombi hili chini ya kata:
In [21]: show_hosts
Out[21]:
APIResponse({
"data": [
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "192.168.47.1",
"name": "h_192.168.47.1",
"type": "host",
"uid": "5d7d7086-d70b-4995-971a-0583b15a2bfc"
},
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "8.8.8.8",
"name": "h_8.8.8.8",
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
}
],
"res_obj": {
"data": {
"from": 1,
"objects": [
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "192.168.47.1",
"name": "h_192.168.47.1",
"type": "host",
"uid": "5d7d7086-d70b-4995-971a-0583b15a2bfc"
},
{
"domain": {
"domain-type": "domain",
"name": "SMC User",
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"
},
"ipv4-address": "8.8.8.8",
"name": "h_8.8.8.8",
"type": "host",
"uid": "c210af07-1939-49d3-a351-953a9c471d9e"
}
],
"to": 2,
"total": 2
},
"status_code": 200
},
"status_code": 200,
"success": true
})
Inachakata matokeo ya simu za API
Baada ya hayo, unaweza kutumia vigezo na mbinu za darasa APIResponse(ndani ya msimamizi wa muktadha na nje). Kwenye darasa APIResponse Njia 4 na anuwai 5 zimefafanuliwa mapema; tutakaa juu ya zile muhimu zaidi kwa undani zaidi.
mafanikio
Kuanza, lingekuwa wazo zuri kuhakikisha kuwa simu ya API ilifaulu na kurudisha matokeo. Kuna mbinu kwa hili mafanikio:
In [49]: api_versions.success
Out[49]: True
Hurejesha Kweli ikiwa simu ya API ilifaulu (msimbo wa jibu - 200) na Sivyo ikiwa haijafaulu (msimbo wowote wa jibu). Ni rahisi kutumia mara baada ya simu ya API kuonyesha habari tofauti kulingana na nambari ya majibu.
if api_ver.success:
print(api_versions.data)
else:
print(api_versions.err_message) msimbo wa hali
Hurejesha msimbo wa majibu baada ya simu ya API kupigwa.
In [62]: api_versions.status_code
Out[62]: 400
Nambari za majibu zinazowezekana: 200,400,401,403,404,409,500,501.
weka_hali_ya_mafanikio
Katika kesi hii, inaweza kuwa muhimu kubadili thamani ya hali ya mafanikio. Kitaalam, unaweza kuweka chochote hapo, hata kamba ya kawaida. Lakini mfano halisi utakuwa kuweka upya kigezo hiki kwa Uongo chini ya hali fulani zinazoambatana. Hapo chini, makini na mfano wakati kuna kazi zinazoendeshwa kwenye seva ya usimamizi, lakini tutazingatia ombi hili halijafaulu (tutaweka utofauti wa mafanikio kuwa Uongo, licha ya ukweli kwamba simu ya API ilifanikiwa na kurudi nambari 200).
for task in task_result.data["tasks"]:
if task["status"] == "failed" or task["status"] == "partially succeeded":
task_result.set_success_status(False)
breakmajibu ()
Mbinu ya majibu hukuruhusu kutazama kamusi na msimbo wa majibu (status_code) na mwili wa majibu (mwili).
In [94]: api_versions.response()
Out[94]:
{'status_code': 200,
'data': {'current-version': '1.6',
'supported-versions': ['1', '1.1', '1.2', '1.3', '1.4', '1.5', '1.6']}}
data
Inakuruhusu kuona tu mwili wa majibu (mwili) bila habari isiyo ya lazima.
In [93]: api_versions.data
Out[93]:
{'current-version': '1.6',
'supported-versions': ['1', '1.1', '1.2', '1.3', '1.4', '1.5', '1.6']}
error_message
Taarifa hii inapatikana tu wakati hitilafu ilitokea wakati wa kuchakata ombi la API (msimbo wa jibu hakuna 200). Pato la mfano
In [107]: api_versions.error_message
Out[107]: 'code: generic_err_invalid_parameter_namenmessage: Unrecognized parameter [1]n'
Mifano muhimu
Ifuatayo ni mifano inayotumia simu za API ambazo ziliongezwa katika API ya Usimamizi 1.6.
Kwanza, hebu tuangalie jinsi simu zinavyofanya kazi ongeza mwenyeji ΠΈ masafa ya kuongeza-anwani. Wacha tuseme tunahitaji kuunda anwani zote za IP za subnet 192.168.0.0/24, oktet ya mwisho ambayo ni 5, kama vitu vya aina ya mwenyeji, na kuandika anwani zingine zote za IP kama vitu vya aina ya anuwai ya anwani. Katika kesi hii, usiondoe anwani ya subnet na anwani ya matangazo.
Kwa hivyo, hapa chini kuna hati inayosuluhisha shida hii na kuunda vitu 50 vya aina ya mwenyeji na vitu 51 vya aina ya anuwai ya anwani. Ili kutatua tatizo, simu 101 za API zinahitajika (bila kuhesabu simu ya mwisho ya uchapishaji). Pia, kwa kutumia moduli ya saa, tunahesabu wakati inachukua kutekeleza hati hadi mabadiliko yatakapochapishwa.
Hati kwa kutumia add-host na add-andress- range
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
first_ip = 1
last_ip = 4
client_args = APIClientArgs(server="192.168.47.240")
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
for ip in range(5,255,5):
add_host = client.api_call("add-host", {"name" : f"h_192.168.0.{ip}", "ip-address": f'192.168.0.{ip}'})
while last_ip < 255:
add_range = client.api_call("add-address-range", {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"})
first_ip+=5
last_ip+=5
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
Katika mazingira yangu ya maabara, hati hii inachukua kati ya sekunde 30 na 50 kutekeleza, kulingana na mzigo kwenye seva ya usimamizi.
Sasa hebu tuone jinsi ya kutatua tatizo sawa kwa kutumia simu ya API ongeza-vitu-fungu, msaada ambao uliongezwa katika toleo la API 1.6. Simu hii hukuruhusu kuunda vitu vingi kwa wakati mmoja katika ombi moja la API. Zaidi ya hayo, haya yanaweza kuwa vitu vya aina tofauti (kwa mfano, majeshi, subnets na safu za anwani). Kwa hivyo, kazi yetu inaweza kutatuliwa ndani ya mfumo wa simu moja ya API.
Hati kwa kutumia add-objects-batch
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}', "ip-address": f'192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
add_objects_batch = client.api_call("add-objects-batch", data_for_batch)
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
Na kuendesha hati hii katika mazingira yangu ya maabara huchukua kutoka sekunde 3 hadi 7, kulingana na mzigo kwenye seva ya usimamizi. Hiyo ni, kwa wastani, kwenye vitu 101 vya API, simu ya aina ya batch inaendesha mara 10 haraka. Kwenye idadi kubwa ya vitu tofauti itakuwa ya kuvutia zaidi.
Sasa hebu tuone jinsi ya kufanya kazi nayo seti-vitu-fungu. Kwa kutumia simu hii ya API, tunaweza kubadilisha kigezo chochote kwa wingi. Hebu tuweke nusu ya kwanza ya anwani kutoka kwa mfano uliopita (hadi majeshi .124, na safu pia) kwa sienna ya rangi, na tupe rangi ya khaki kwa nusu ya pili ya anwani.
Kubadilisha rangi ya vitu vilivyoundwa katika mfano uliopita
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip_first = []
objects_list_range_first = []
objects_list_ip_second = []
objects_list_range_second = []
for ip in range(5,125,5):
data = {"name": f'h_192.168.0.{ip}', "color": "sienna"}
objects_list_ip_first.append(data)
for ip in range(125,255,5):
data = {"name": f'h_192.168.0.{ip}', "color": "khaki"}
objects_list_ip_second.append(data)
first_ip = 1
last_ip = 4
while last_ip < 125:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "sienna"}
objects_list_range_first.append(data)
first_ip+=5
last_ip+=5
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "khaki"}
objects_list_range_second.append(data)
first_ip+=5
last_ip+=5
data_for_batch_first = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_first
}, {
"type" : "address-range",
"list" : objects_list_range_first
}]
}
data_for_batch_second = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_second
}, {
"type" : "address-range",
"list" : objects_list_range_second
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
set_objects_batch_first = client.api_call("set-objects-batch", data_for_batch_first)
set_objects_batch_second = client.api_call("set-objects-batch", data_for_batch_second)
publish = client.api_call("publish")
Unaweza kufuta vitu vingi katika simu moja ya API ukitumia futa-vitu-fungu. Sasa hebu tuangalie mfano wa msimbo ambao hufuta seva pangishi zilizoundwa hapo awali kupitia ongeza-vitu-fungu.
Kufuta vitu kwa kutumia delete-objects-batch
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
delete_objects_batch = client.api_call("delete-objects-batch", data_for_batch)
publish = client.api_call("publish")
print(delete_objects_batch.data)
Vitendaji vyote vinavyoonekana katika matoleo mapya ya programu ya Check Point hupata simu za API mara moja. Kwa hivyo, katika R80.40 "sifa" kama vile Rejesha marekebisho na Smart Task ilionekana, na simu zinazolingana za API zilitayarishwa mara moja kwa ajili yao. Zaidi ya hayo, utendakazi wote unapohama kutoka kwa dashibodi za Urithi hadi kwa Hali ya Sera Iliyounganishwa pia hupata usaidizi wa API. Kwa mfano, sasisho lililokuwa likisubiriwa kwa muda mrefu katika toleo la programu R80.40 lilikuwa ni kuhamishwa kwa sera ya Ukaguzi wa HTTPS kutoka hali ya Urithi hadi Hali ya Sera Iliyounganishwa, na utendakazi huu ulipokea simu za API mara moja. Huu hapa ni mfano wa msimbo unaoongeza kanuni kwenye nafasi ya juu ya sera ya Ukaguzi wa HTTPS ambayo haijumuishi kategoria 3 kwenye ukaguzi (Afya, Fedha, Huduma za Serikali), ambazo haziruhusiwi kukaguliwa kwa mujibu wa sheria katika idadi ya nchi.
Ongeza sheria kwenye sera ya Ukaguzi wa HTTPS
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
data = {
"layer" : "Default Layer",
"position" : "top",
"name" : "Legal Requirements",
"action": "bypass",
"site-category": ["Health", "Government / Military", "Financial Services"]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
add_https_rule = client.api_call("add-https-rule", data)
publish = client.api_call("publish")
Kuendesha maandishi ya Python kwenye seva ya usimamizi wa Check Point
Kila kitu ni sawa ina habari juu ya jinsi ya kuendesha hati za Python moja kwa moja kutoka kwa seva ya kudhibiti. Hii inaweza kuwa rahisi wakati huwezi kuunganisha kwenye seva ya API kutoka kwa mashine nyingine. Nilirekodi video ya dakika sita ambayo ninaangalia kusakinisha moduli cpa na huduma za kuendesha hati za Python kwenye seva ya kudhibiti. Kama mfano, hati inaendeshwa ambayo inabadilisha usanidi wa lango mpya kwa kazi kama vile ukaguzi wa mtandao. Ukaguzi wa Usalama. Miongoni mwa huduma ambazo nililazimika kushughulika nazo: kazi bado haijaonekana kwenye Python 2.7 pembejeo, ili kuchakata maelezo ambayo mtumiaji huingia, kazi hutumiwa pembejeo_mbichi. Vinginevyo, kanuni ni sawa na kwa uzinduzi kutoka kwa mashine nyingine, tu ni rahisi zaidi kutumia kazi ingia_kama_mzizi, ili usibainishe jina lako la mtumiaji, nenosiri na anwani ya IP ya seva ya usimamizi tena.
Hati ya usanidi wa haraka wa Ukaguzi wa Usalama
from __future__ import print_function
import getpass
import sys, os
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
from cpapi import APIClient, APIClientArgs
def main():
with APIClient() as client:
# if client.check_fingerprint() is False:
# print("Could not get the server's fingerprint - Check connectivity with the server.")
# exit(1)
login_res = client.login_as_root()
if login_res.success is False:
print("Login failed:n{}".format(login_res.error_message))
exit(1)
gw_name = raw_input("Enter the gateway name:")
gw_ip = raw_input("Enter the gateway IP address:")
if sys.stdin.isatty():
sic = getpass.getpass("Enter one-time password for the gateway(SIC): ")
else:
print("Attention! Your password will be shown on the screen!")
sic = raw_input("Enter one-time password for the gateway(SIC): ")
version = raw_input("Enter the gateway version(like RXX.YY):")
add_gw = client.api_call("add-simple-gateway", {'name' : gw_name, 'ipv4-address' : gw_ip, 'one-time-password' : sic, 'version': version.capitalize(), 'application-control' : 'true', 'url-filtering' : 'true', 'ips' : 'true', 'anti-bot' : 'true', 'anti-virus' : 'true', 'threat-emulation' : 'true'})
if add_gw.success and add_gw.data['sic-state'] != "communicating":
print("Secure connection with the gateway hasn't established!")
exit(1)
elif add_gw.success:
print("The gateway was added successfully.")
gw_uid = add_gw.data['uid']
gw_name = add_gw.data['name']
else:
print("Failed to add the gateway - {}".format(add_gw.error_message))
exit(1)
change_policy = client.api_call("set-access-layer", {"name" : "Network", "applications-and-url-filtering": "true", "content-awareness": "true"})
if change_policy.success:
print("The policy has been changed successfully")
else:
print("Failed to change the policy- {}".format(change_policy.error_message))
change_rule = client.api_call("set-access-rule", {"name" : "Cleanup rule", "layer" : "Network", "action": "Accept", "track": {"type": "Detailed Log", "accounting": "true"}})
if change_rule.success:
print("The cleanup rule has been changed successfully")
else:
print("Failed to change the cleanup rule- {}".format(change_rule.error_message))
# publish the result
publish_res = client.api_call("publish", {})
if publish_res.success:
print("The changes were published successfully.")
else:
print("Failed to publish the changes - {}".format(install_tp_policy.error_message))
install_access_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'true', "threat-prevention" : 'false', "targets" : gw_uid})
if install_access_policy.success:
print("The access policy has been installed")
else:
print("Failed to install access policy - {}".format(install_tp_policy.error_message))
install_tp_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'false', "threat-prevention" : 'true', "targets" : gw_uid})
if install_tp_policy.success:
print("The threat prevention policy has been installed")
else:
print("Failed to install threat prevention policy - {}".format(install_tp_policy.error_message))
# add passwords and passphrases to dictionary
with open('additional_pass.conf') as f:
line_num = 0
for line in f:
line_num += 1
add_password_dictionary = client.api_call("run-script", {"script-name" : "Add passwords and passphrases", "script" : "printf "{}" >> $FWDIR/conf/additional_pass.conf".format(line), "targets" : gw_name})
if add_password_dictionary.success:
print("The password dictionary line {} was added successfully".format(line_num))
else:
print("Failed to add the dictionary - {}".format(add_password_dictionary.error_message))
main() Faili ya mfano iliyo na kamusi ya nenosiri extra_pass.conf
{
"passwords" : ["malware","malicious","infected","Infected"],
"phrases" : ["password","Password","Pass","pass","codigo","key","pwd","ΠΏΠ°ΡΠΎΠ»Ρ","ΠΠ°ΡΠΎΠ»Ρ","ΠΠ»ΡΡ","ΠΊΠ»ΡΡ","ΡΠΈΡΡ","Π¨ΠΈΡΡ"]
}
Hitimisho
Makala hii inachunguza tu uwezekano wa msingi wa kazi Python SDK na moduli cpa(kama unavyoweza kukisia, haya ni visawe), na kwa kusoma msimbo katika moduli hii utagundua fursa zaidi za kufanya kazi nayo. Inawezekana kwamba utataka kuiongezea na madarasa yako mwenyewe, kazi, mbinu na vigezo. Unaweza kushiriki kazi yako kila wakati na kutazama hati zingine za Check Point kwenye sehemu katika jamii , ambayo huleta pamoja watengenezaji wa bidhaa na watumiaji.
Furaha ya kuweka msimbo na asante kwa kusoma hadi mwisho!
Chanzo: mapenzi.com