Mo ni idaniloju pe gbogbo eniyan ti o ti ṣiṣẹ pẹlu
“Iyanu” kan ṣẹlẹ laipẹ. Pẹlu awọn Tu ti awọn titun ti ikede GAA R80 anfani ti a kede API lilo, eyiti o ṣii awọn aye jakejado fun adaṣe adaṣe, iṣakoso, ibojuwo, ati bẹbẹ lọ. Bayi o le:
- ṣẹda awọn nkan;
- ṣafikun tabi ṣatunkọ awọn atokọ wiwọle;
- mu ṣiṣẹ / mu awọn abẹfẹlẹ ṣiṣẹ;
- tunto awọn atọkun nẹtiwọki;
- fi sori ẹrọ awọn eto imulo;
- ati pupọ siwaju sii.
Lati so ooto, Emi ko loye bi iroyin yii ṣe kọja nipasẹ Habr. Ninu àpilẹkọ yii a yoo ṣe apejuwe ni ṣoki bi o ṣe le lo API ati pese ọpọlọpọ awọn apẹẹrẹ ti o wulo. Awọn eto CheckPoint nipa lilo awọn iwe afọwọkọ.
Emi yoo fẹ lati ṣe ifiṣura lẹsẹkẹsẹ pe API lo nikan fun olupin Isakoso. Awon. Ko ṣee ṣe lati ṣakoso awọn ẹnu-ọna laisi olupin Isakoso.
Tani o le lo API yii ni opo?
- Awọn alabojuto eto ti o fẹ lati jẹ ki o rọrun tabi ṣe adaṣe awọn iṣẹ ṣiṣe iṣeto ni Ṣayẹwo Point;
- Awọn ile-iṣẹ ti o fẹ lati ṣafikun Ojuami Ṣayẹwo pẹlu awọn solusan miiran (awọn ọna ṣiṣe foju, awọn eto tikẹti, awọn eto iṣakoso iṣeto, ati bẹbẹ lọ);
- Awọn oluṣepọ eto ti o fẹ lati ṣe iwọn awọn eto tabi ṣẹda afikun Ṣayẹwo Awọn ọja ti o ni ibatan.
Ilana aṣoju
Nitorinaa, jẹ ki a foju inu wo ero aṣoju kan pẹlu Ojuami Ṣayẹwo:
Gẹgẹbi igbagbogbo a ni ẹnu-ọna kan (SG), olupin isakoso (SMS) ati console abojuto (SmartConsole). Ni ọran yii, ilana iṣeto ẹnu-ọna deede dabi eyi:
Awon. Ni akọkọ o nilo lati ṣiṣẹ lori kọnputa alabojuto SmartConsole, pẹlu eyiti a sopọ si olupin Isakoso (SMS). Awọn eto aabo wa lori SMS, ati lẹhinna lo nikan (fi sori ẹrọ imulo) si ẹnu-ọna (SG).
Lilo API isakoso, a le besikale foju akọkọ ojuami (ifilọlẹ SmartConsole) ati lilo API ase taara si olupin Isakoso (SMS).
Awọn ọna lati lo API
Awọn ọna akọkọ mẹrin wa lati ṣatunkọ iṣeto ni lilo API:
1) Lilo ohun elo mgmt_cli
Apeere - # mgmt_cli ṣafikun orukọ agbalejo host1 ip-adirẹsi 192.168.2.100
Yi aṣẹ ti wa ni ṣiṣe lati awọn Management Server (SMS) laini pipaṣẹ. Mo ro pe awọn sintasi ti awọn pipaṣẹ jẹ ko o - host1 ti wa ni da pẹlu awọn adirẹsi 192.168.2.100.
2) Tẹ awọn aṣẹ API sii nipasẹ agekuru (ni ipo iwé)
Ni ipilẹ, gbogbo ohun ti o nilo lati ṣe ni wọle si laini aṣẹ (wiwọle mgmt) labẹ akọọlẹ ti o lo nigbati o ba sopọ nipasẹ SmartConsole (tabi iroyin root). Lẹhinna o le wọle API ase (ninu ọran yii ko si iwulo lati lo ohun elo ṣaaju aṣẹ kọọkan mgmt_cli). O le ṣẹda ni kikun-fledged Awọn iwe afọwọkọ BASH. Apeere ti iwe afọwọkọ ti agbalejo naa ṣẹda:
Bash akosile
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
Ti o ba nifẹ, o le wo fidio ti o baamu:
3) Nipasẹ SmartConsole nipa ṣiṣi window CLI
Gbogbo ohun ti o nilo lati ṣe ni ṣii window naa CLI taara lati SmartConsole, bi a ṣe han ninu aworan ni isalẹ.
Ni window yii, o le bẹrẹ titẹ awọn pipaṣẹ API wọle lẹsẹkẹsẹ.
4) Awọn iṣẹ wẹẹbu. Lo ibeere HTTPS Post (REST API)
Ninu ero wa, eyi jẹ ọkan ninu awọn ọna ti o ni ileri julọ, nitori faye gba o lati "kọ" gbogbo awọn ohun elo ti o da lori isakoso olupin isakoso (binu fun tautology). Ni isalẹ a yoo wo ọna yii ni awọn alaye diẹ sii.
Lati ṣe akopọ:
- API + cli diẹ dara fun awon eniyan ti o ti wa ni lo lati Cisco;
- API + ikarahun fun lilo awọn iwe afọwọkọ ati ṣiṣe awọn iṣẹ ṣiṣe deede;
- REST API fun adaṣiṣẹ.
Muu API ṣiṣẹ
Nipa aiyipada, API ṣiṣẹ lori awọn olupin iṣakoso pẹlu diẹ ẹ sii ju 4GB ti Ramu ati awọn atunto imurasilẹ pẹlu diẹ sii ju 8GB ti Ramu. O le ṣayẹwo ipo naa nipa lilo aṣẹ naa: api ipo
Ti o ba han pe api jẹ alaabo, lẹhinna o rọrun pupọ lati mu ṣiṣẹ nipasẹ SmartConsole: Ṣakoso & Eto > Awọn abẹfẹlẹ > API Isakoso > Eto To ti ni ilọsiwaju
Lẹhinna gbejade (jade) ayipada ati ṣiṣe awọn pipaṣẹ api tun bẹrẹ.
Awọn ibeere wẹẹbu + Python
Lati ṣiṣẹ awọn pipaṣẹ API, o le lo awọn ibeere wẹẹbu ni lilo Python ati awọn ile-ikawe ibeere, json. Ni gbogbogbo, eto ti ibeere wẹẹbu ni awọn ẹya mẹta:
1) Adirẹsi
(https://<managemenet server>:<port>/web_api/<command>)
2) HTTP Awọn akọle
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
3) Beere isanwo
Ọrọ ni ọna kika JSON ti o ni awọn paramita oriṣiriṣi ninu
Apeere fun pipe orisirisi ase:
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == “”:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
Eyi ni awọn iṣẹ ṣiṣe aṣoju diẹ ti o nigbagbogbo ba pade nigbati o n ṣakoso aaye Ṣayẹwo.
1) Apẹẹrẹ ti aṣẹ ati awọn iṣẹ jade:
Iwe afọwọkọ
payload = {‘user’: ‘your_user’, ‘password’ : ‘your_password’}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) Titan awọn abẹfẹlẹ ati ṣeto nẹtiwọọki:
Iwe afọwọkọ
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
3) Yiyipada awọn ofin ogiriina:
Iwe afọwọkọ
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
4) Fikun Layer ohun elo:
Iwe afọwọkọ
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) Ṣe atẹjade ati ṣeto eto imulo naa, ṣayẹwo ipaniyan ti aṣẹ naa (id iṣẹ-ṣiṣe):
Iwe afọwọkọ
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) Fi ogun kun:
Iwe afọwọkọ
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
7) Fi aaye Idena Irokeke kan kun:
Iwe afọwọkọ
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
8) Wo atokọ ti awọn akoko
Iwe afọwọkọ
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
9) Ṣẹda profaili tuntun:
Iwe afọwọkọ
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
10) Yi igbese pada fun ibuwọlu IPS:
Iwe afọwọkọ
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) Ṣafikun iṣẹ rẹ:
Iwe afọwọkọ
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) Ṣafikun ẹka kan, aaye tabi ẹgbẹ kan:
Iwe afọwọkọ
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
Ni afikun, pẹlu iranlọwọ API API o le ṣafikun ati yọ awọn nẹtiwọki kuro, awọn agbalejo, awọn ipa wiwọle, ati bẹbẹ lọ. Awọn abẹfẹlẹ le jẹ adani Antivirus, Antibot, IPS, VPN. Paapaa o ṣee ṣe lati fi awọn iwe-aṣẹ sori ẹrọ nipa lilo aṣẹ naa ṣiṣe-akosile. Gbogbo awọn aṣẹ API Ṣayẹwo Point ni a le rii nibi
Ṣayẹwo Point API + Postman
Tun rọrun lati lo Ṣayẹwo Oju opo wẹẹbu API ni apapo pẹlu
Lilo ohun elo yii, a yoo ni anfani lati ṣe ipilẹṣẹ awọn ibeere wẹẹbu si Ṣayẹwo Point API. Ni ibere ki o má ba ranti gbogbo awọn aṣẹ API, o ṣee ṣe lati gbe awọn ohun ti a npe ni awọn akojọpọ (awọn awoṣe), ti o ti ni gbogbo awọn ofin pataki:
Ni ero mi, eyi rọrun pupọ. O le yara bẹrẹ idagbasoke awọn ohun elo nipa lilo Ṣayẹwo Point API.
Ṣayẹwo Ojuami + O ṣeeṣe
Emi yoo tun fẹ lati ṣe akiyesi pe o wa O ṣee
ipari
Eyi ni ibiti a ti le pari atunyẹwo kukuru wa ti Ṣayẹwo Point API. Ni ero mi, ẹya yii ti nreti pipẹ pupọ ati pataki. Ifarahan ti API ṣii awọn aye ti o gbooro pupọ fun awọn alabojuto eto mejeeji ati awọn oluṣepọ eto ti o ṣiṣẹ pẹlu awọn ọja Ṣayẹwo Point. Orchestration, adaṣiṣẹ, esi SIEM... gbogbo rẹ ṣee ṣe ni bayi.
P.S. Diẹ ìwé nipa
P.S.S. Fun awọn ibeere imọ-ẹrọ ti o jọmọ si iṣeto Aye Ṣayẹwo, o le
Awọn olumulo ti o forukọsilẹ nikan le kopa ninu iwadi naa.
Ṣe o ngbero lati lo API?
-
70,6%Bẹẹni12
-
23,5%No4
-
5,9%Ti nlo tẹlẹ1
17 olumulo dibo. 3 olumulo abstained.
orisun: www.habr.com