Ishonchim komilki, u bilan birga ishlagan har bir kishi haqida shikoyat bor edi konfiguratsiyani buyruq satridan tahrir qilishning mumkin emasligi. Bu, ayniqsa, Cisco ASA bilan ilgari ishlaganlar uchun g'alati, bu erda hamma narsani CLI-da sozlash mumkin. Check Point bilan buning teskarisi - barcha xavfsizlik sozlamalari faqat grafik interfeysdan amalga oshirildi. Biroq, ba'zi narsalarni GUI orqali qilish mutlaqo noqulay (hatto Check Point's kabi qulay). Masalan, 100 ta yangi xost yoki tarmoqlarni qo'shish vazifasi uzoq va zerikarli protseduraga aylanadi. Har bir ob'ekt uchun siz sichqonchani bir necha marta bosishingiz va IP manzilini kiritishingiz kerak bo'ladi. Xuddi shu narsa saytlar guruhini yaratish yoki IPS imzolarini ommaviy yoqish/o'chirish uchun ham amal qiladi. Bunday holda, xato qilish ehtimoli katta.
"Mo''jiza" nisbatan yaqinda sodir bo'ldi. Yangi versiyaning chiqarilishi bilan Gaia R80 imkoniyati e'lon qilindi API foydalanish, bu sozlamalarni, boshqaruvni, monitoringni va hokazolarni avtomatlashtirish uchun keng imkoniyatlar ochadi. Endi siz:
- ob'ektlarni yaratish;
- kirish ro'yxatlarini qo'shish yoki tahrirlash;
- pichoqlarni yoqish/o'chirish;
- tarmoq interfeyslarini sozlash;
- siyosatlarni o'rnatish;
- va boshqalar.
Rostini aytsam, bu xabar Xabr tomonidan qanday o'tganini tushunmayapman. Ushbu maqolada biz API-dan qanday foydalanishni qisqacha tasvirlab beramiz va bir nechta amaliy misollarni keltiramiz. Skriptlar yordamida CheckPoint sozlamalari.
API faqat boshqaruv serveri uchun ishlatilishini darhol band qilmoqchiman. Bular. Boshqaruv serverisiz shlyuzlarni boshqarish hali ham mumkin emas.
Ushbu API printsipidan kim foydalanishi mumkin?
- Muntazam Check Point konfiguratsiya vazifalarini soddalashtirish yoki avtomatlashtirishni xohlaydigan tizim ma'murlari;
- Check Point-ni boshqa echimlar (virtualizatsiya tizimlari, chiptalar tizimlari, konfiguratsiyalarni boshqarish tizimlari va boshqalar) bilan integratsiya qilishni xohlaydigan kompaniyalar;
- Sozlamalarni standartlashtirish yoki qo'shimcha Check Point bilan bog'liq mahsulotlar yaratishni xohlaydigan tizim integratorlari.
Oddiy sxema
Shunday qilib, Check Point bilan odatiy sxemani tasavvur qilaylik:
Odatdagidek bizda shlyuz bor (SG), boshqaruv serveri (SMS) va administrator konsoli (SmartConsole). Bunday holda, odatiy shlyuzni sozlash jarayoni quyidagicha ko'rinadi:
Bular. Avval administrator kompyuterida ishga tushirishingiz kerak SmartConsole, biz boshqaruv serveriga ulanamiz (SMS). Xavfsizlik sozlamalari SMS-da amalga oshiriladi va shundan keyingina qo'llaniladi (o'rnatish siyosati) shlyuzga (SG).
Foydalanishda Boshqaruv API, biz asosan birinchi nuqtani o'tkazib yuborishimiz mumkin (SmartConsole-ni ishga tushirish) va foydalanish API buyruqlari to'g'ridan-to'g'ri boshqaruv serveriga (SMS).
API dan foydalanish usullari
API yordamida konfiguratsiyani tahrirlashning to'rtta asosiy usuli mavjud:
1) mgmt_cli yordam dasturidan foydalanish
Misol - # mgmt_cli xost nomini qo'shing host1 IP-manzili 192.168.2.100
Bu buyruq boshqaruv serveri (SMS) buyruq satridan ishga tushiriladi. Menimcha, buyruq sintaksisi aniq - host1 192.168.2.100 manzili bilan yaratilgan.
2) API buyruqlarini clish orqali kiriting (ekspert rejimida)
Asosan, faqat buyruq satriga kirishingiz kerak (mgmt login) SmartConsole (yoki ildiz hisobi) orqali ulanishda foydalaniladigan hisob ostida. Keyin kirishingiz mumkin API buyruqlari (bu holda har bir buyruq oldidan yordam dasturidan foydalanish shart emas mgmt_cli). Siz to'liq huquqli yaratishingiz mumkin BASH skriptlari. Uy egasi yaratadigan skriptga misol:
Bash skripti
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
Agar qiziqsangiz, tegishli videoni tomosha qilishingiz mumkin:
3) CLI oynasini ochish orqali SmartConsole orqali
Buning uchun faqat oynani ochish kifoya CLI to'g'ridan-to'g'ri dan SmartConsole, quyidagi rasmda ko'rsatilganidek.
Ushbu oynada siz darhol API buyruqlarini kiritishni boshlashingiz mumkin.
4) Veb-xizmatlar. HTTPS Post so'rovidan foydalanish (REST API)
Bizning fikrimizcha, bu eng istiqbolli usullardan biri, chunki asosida butun ilovalarni "yaratish" imkonini beradi boshqaruv serverini boshqarish (tavtologiya uchun uzr). Quyida biz ushbu usulni biroz batafsilroq ko'rib chiqamiz.
Xulosa qilish uchun:
- API + cli Cisco-ga o'rganib qolgan odamlar uchun ko'proq mos keladi;
- API + qobiq skriptlarni qo'llash va odatiy vazifalarni bajarish uchun;
- REST API avtomatlashtirish uchun.
APIni yoqish
Odatiy bo'lib, API 4 Gb dan ortiq operativ xotiraga ega boshqaruv serverlarida va 8 Gb dan ortiq operativ xotiraga ega mustaqil konfiguratsiyalarda yoqilgan. Buyruq yordamida holatni tekshirishingiz mumkin: api holati
Agar api o'chirilganligi aniqlansa, uni SmartConsole orqali yoqish juda oson: Boshqarish va sozlamalar > Blades > Boshqarish API > Kengaytirilgan sozlamalar
Keyin nashr eting (Nashr qiling) o'zgartiradi va buyruqni ishga tushiradi api qayta ishga tushirish.
Veb-so'rovlar + Python
API buyruqlarini bajarish uchun siz veb-so'rovlardan foydalanishingiz mumkin Python va kutubxonalar Talablar, json. Umuman olganda, veb-so'rovning tuzilishi uch qismdan iborat:
1) Manzil
(https://<managemenet server>:<port>/web_api/<command>)
2) HTTP sarlavhalari
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
3) Foydali yukni talab qilish
Turli parametrlarni o'z ichiga olgan JSON formatidagi matn
Turli xil buyruqlarni chaqirish uchun misol:
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == “”:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
Bu erda Check Point-ni boshqarishda tez-tez duch keladigan bir nechta odatiy vazifalar mavjud.
1) Avtorizatsiya va chiqish funksiyalariga misol:
Skript
payload = {‘user’: ‘your_user’, ‘password’ : ‘your_password’}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) Pichoqlarni yoqish va tarmoqni sozlash:
Skript
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
3) Xavfsizlik devori qoidalarini o'zgartirish:
Skript
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
4) Ilova qatlamini qo'shish:
Skript
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) Siyosatni nashr eting va o'rnating, buyruqning bajarilishini tekshiring (task-id):
Skript
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) Xost qo'shing:
Skript
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
7) Tahdidni oldini olish maydonini qo'shing:
Skript
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
8) Seanslar ro'yxatini ko'ring
Skript
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
9) Yangi profil yarating:
Skript
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
10) IPS imzosi uchun amalni o'zgartiring:
Skript
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) Xizmatingizni qo'shing:
Skript
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) Kategoriya, sayt yoki guruh qo‘shing:
Skript
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
Bundan tashqari, yordam bilan Veb API siz tarmoqlar, xostlar, kirish rollari va boshqalarni qo'shishingiz va o'chirishingiz mumkin. Pichoqlar moslashtirilgan bo'lishi mumkin Antivirus, Antibot, IPS, VPN. Hatto buyruq yordamida litsenziyalarni o'rnatish ham mumkin ishga tushirish-skript. Barcha Check Point API buyruqlarini shu yerda topishingiz mumkin .
Check Point API + Postman
Foydalanish uchun ham qulay Check Point Web API bilan birgalikda . Postman Windows, Linux va MacOS uchun ish stoli versiyalariga ega. Bundan tashqari, Google Chrome uchun plagin mavjud. Bu biz foydalanadigan narsadir. Avval siz Google Chrome do'konida Postman-ni topishingiz va o'rnatishingiz kerak:
Ushbu yordam dasturidan foydalanib, biz Check Point API-ga veb-so'rovlarni yaratishimiz mumkin. Barcha API buyruqlarini eslamaslik uchun barcha kerakli buyruqlarni o'z ichiga olgan to'plamlar (shablonlar) deb ataladigan narsalarni import qilish mumkin:
topasiz to'plam uchun R80.10. Import qilingandan so'ng, API buyruq shablonlari biz uchun mavjud bo'ladi:
Menimcha, bu juda qulay. Check Point API yordamida ilovalarni tezda ishlab chiqishni boshlashingiz mumkin.
Tekshirish nuqtasi + Ansible
borligini ham qayd etmoqchiman E'tirof etiladi CheckPoint API uchun. Modul sizga konfiguratsiyalarni boshqarishga imkon beradi, ammo bu ekzotik muammolarni hal qilish uchun unchalik qulay emas. Har qanday dasturlash tilida skriptlarni yozish yanada moslashuvchan va qulay echimlarni beradi.
xulosa
Bu erda biz Check Point API-ni qisqacha ko'rib chiqishni tugatamiz. Menimcha, bu xususiyat juda uzoq kutilgan va zarur edi. API ning paydo bo'lishi ham tizim ma'murlari, ham Check Point mahsulotlari bilan ishlaydigan tizim integratorlari uchun juda keng imkoniyatlar ochadi. Orkestratsiya, avtomatlashtirish, SIEM fikr-mulohazalari... hozir hammasi mumkin.
PS haqida ko'proq maqolalar har doimgidek uni bizning blogimizda topishingiz mumkin yoki blogda .
PSS Tekshirish nuqtasini sozlash bilan bog'liq texnik savollar uchun siz mumkin
So'rovda faqat ro'yxatdan o'tgan foydalanuvchilar ishtirok etishlari mumkin. iltimos.
API dan foydalanishni rejalashtiryapsizmi?
-
70,6%Ha 12
-
23,5%№4
-
5,9%Allaqachon foydalanilmoqda1
17 nafar foydalanuvchi ovoz berdi. 3 nafar foydalanuvchi betaraf qolgan.
Manba: www.habr.com