Nginesiqiniseko sokuthi wonke umuntu owake wasebenza naye , kwaba nesikhalo mayelana ukungenzeki kokuhlela ukucushwa kusuka kulayini womyalo. Lokhu kuyinqaba ikakhulukazi kulabo abake basebenza neCisco ASA, lapho konke kungalungiswa khona ku-CLI. Nge-Check Point kungenye indlela - zonke izilungiselelo zokuphepha zenziwa ngokukhethekile kusixhumanisi esibonakalayo. Kodwa-ke, ezinye izinto akulula neze ukwenza nge-GUI (ngisho neyodwa elula njengeCheck Point's). Isibonelo, umsebenzi wokwengeza abasingathi abasha abayi-100 noma amanethiwekhi uphenduka inqubo ende neyisicefe. Entweni ngayinye kuzodingeka uchofoze igundane izikhathi ezimbalwa bese ufaka ikheli le-IP. Okufanayo kuya ekudaleni iqembu lamasayithi noma ukunika amandla/ukukhubaza amasiginesha e-IPS. Kulesi simo, kunamathuba amaningi okwenza iphutha.
“Isimangaliso” senzeka muva nje. Ngokukhishwa kwenguqulo entsha IGaia R80 kwamenyezelwa ithuba Ukusetshenziswa kwe-API, okuvula amathuba abanzi ezilungiselelo zokuzenzakalela, ukuphatha, ukuqapha, njll. Manje ungakwazi:
- dala izinto;
- engeza noma hlela uhlu lokufinyelela;
- vumela/cisha ama-blade;
- lungisa izixhumanisi zenethiwekhi;
- faka izinqubomgomo;
- nokuningi okuningi.
Uma ngikhuluma iqiniso, angiqondi ukuthi lezi zindaba zadlula kanjani kuHabr. Kulesi sihloko sizochaza kafushane indlela yokusebenzisa i-API futhi sinikeze izibonelo ezimbalwa ezisebenzayo. Izilungiselelo ze-CheckPoint zisebenzisa imibhalo.
Ngingathanda ukwenza ukubhuka ngokushesha ukuthi i-API isetshenziselwe iseva Yokuphatha kuphela. Labo. Kusenzima ukuphatha amasango ngaphandle kweseva Yokuphatha.
Ubani ongasebenzisa le API ngokomgomo?
- Abaphathi besistimu abafuna ukwenza lula noma ukwenza ngokuzenzakalelayo imisebenzi yokuhlela Indawo Yokuhlola;
- Izinkampani ezifuna ukuhlanganisa i-Check Point nezinye izixazululo (izinhlelo ze-virtualization, izinhlelo zamathikithi, izinhlelo zokuphatha ukumisa, njll.);
- Izihlanganisi zesistimu ezifuna ukulinganisa izilungiselelo noma ukudala imikhiqizo eyengeziwe ehlobene ne-Check Point.
Isikimu esijwayelekile
Ngakho-ke, ake sicabange uhlelo olujwayelekile nge-Check Point:
Njengenjwayelo sinesango (SG), iseva yokuphatha (SMS) kanye nekhonsoli yomqondisi (I-SmartConsole). Kulokhu, inqubo evamile yokumisa isango ibonakala kanje:
Labo. Okokuqala udinga ukugijima kukhompyutha yomlawuli I-SmartConsole, esixhuma ngayo kuseva Yokuphatha (SMS). Izilungiselelo zokuphepha zenziwa nge-SMS, bese zisetshenziswa kuphela (faka inqubomgomo) ukuya esangweni (SG).
Lapho usebenzisa Management API, singakwazi ukweqa iphuzu lokuqala (yethula i-SmartConsole) futhi sisebenzise Imiyalo ye-API ngqo kwisiphakeli Sokuphatha (i-SMS).
Izindlela zokusebenzisa i-API
Kunezindlela ezine eziyinhloko zokuhlela ukucushwa usebenzisa i-API:
1) Ukusebenzisa insiza ye-mgmt_cli
Isibonelo - # mgmt_cli engeza igama lomsingathi1 ip-address 192.168.2.100
Lo myalo uqhutshwa ku-Management Server (SMS) umugqa womyalo. Ngicabanga ukuthi i-syntax yomyalo icacile - i-host1 idalwe nekheli elithi 192.168.2.100.
2) Faka imiyalo ye-API nge-clish (kwimodi yochwepheshe)
Ngokuyisisekelo, okudingeka ukwenze ukungena kumugqa womyalo (ukungena ngemvume kwe-mgmt) ngaphansi kwe-akhawunti esetshenziswa uma uxhuma nge-SmartConsole (noma i-akhawunti yezimpande). Bese ungangena Imiyalo ye-API (Kulokhu asikho isidingo sokusebenzisa insiza ngaphambi komyalo ngamunye mgmt_cli). Ungakha okugcwele Imibhalo ye-BASH. Isibonelo seskripthi esidalwa umsingathi:
Isikripthi se-Bash
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
Uma unentshisekelo, ungabuka ividiyo ehambisanayo:
3) Nge-SmartConsole ngokuvula iwindi le-CLI
Odinga ukukwenza ukuvula iwindi CLI ngqo kusuka I-SmartConsole, njengoba kuboniswe esithombeni esingezansi.
Kuleli windi, ungaqala ngokushesha ukufaka imiyalo ye-API.
4) Amasevisi Wewebhu. Sebenzisa isicelo se-HTTPS Post (REST API)
Ngokombono wethu, lena ingenye yezindlela ezithembisayo, ngoba ikuvumela ukuthi "uwakhe" zonke izinhlelo zokusebenza ngokusekelwe ukuphathwa kweseva yokuphatha (ngiyaxolisa nge-tautology). Ngezansi sizobheka le ndlela ngokuningiliziwe okwengeziwe.
Ukufingqa:
- I-API + cli kufanelekile kakhulu kubantu abajwayele i-Cisco;
- I-API + igobolondo ngokusebenzisa imibhalo kanye nokwenza imisebenzi evamile;
- I-REST API okuzenzakalelayo.
Inika amandla i-API
Ngokuzenzakalelayo, i-API inikwe amandla eziphakelini zokuphatha ezingaphezu kuka-4GB we-RAM nokulungiselelwa okuzimele okungaphezu kuka-8GB we-RAM. Ungahlola isimo usebenzisa umyalo: isimo se-api
Uma kuvela ukuthi i-api ivaliwe, kulula kakhulu ukuyinika amandla nge-SmartConsole: Phatha & Izilungiselelo > Ama-blades > I-API Yokuphatha > Izilungiselelo Ezithuthukisiwe
Bese ushicilela (Shicilela) shintsha bese usebenzisa umyalo api qala kabusha.
Izicelo zewebhu + Python
Ukuze wenze imiyalo ye-API, ungasebenzisa izicelo zeWebhu usebenzisa Python kanye nemitapo yolwazi izicelo, json. Ngokuvamile, ukwakheka kwesicelo sewebhu siqukethe izingxenye ezintathu:
1)Ikheli
(https://<managemenet server>:<port>/web_api/<command>)
2) Izihloko ze-HTTP
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
3) Cela ukukhokhelwa
Umbhalo ngefomethi ye-JSON equkethe amapharamitha ahlukene
Isibonelo sokubiza imiyalo ehlukahlukene:
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == “”:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
Nansi imisebenzi embalwa evamile ovame ukuhlangana nayo lapho ulawula Iphoyinti Lokuhlola.
1) Isibonelo sokugunyazwa nemisebenzi yokuphuma:
Iskripthi
payload = {‘user’: ‘your_user’, ‘password’ : ‘your_password’}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) Ukuvula ama-blades nokusetha inethiwekhi:
Iskripthi
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
3) Ukushintsha imithetho ye-firewall:
Iskripthi
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
4) Ukwengeza isendlalelo sohlelo lokusebenza:
Iskripthi
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) Shicilela bese usetha inqubomgomo, hlola ukwenziwa komyalo (i-id yomsebenzi):
Iskripthi
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) Engeza umsingathi:
Iskripthi
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
7) Engeza inkambu Yokuvimbela Usongo:
Iskripthi
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
8) Buka uhlu lwamaseshini
Iskripthi
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
9) Dala iphrofayela entsha:
Iskripthi
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
10) Shintsha isenzo sesiginesha ye-IPS:
Iskripthi
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) Engeza isevisi yakho:
Iskripthi
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) Engeza isigaba, isayithi noma iqembu:
Iskripthi
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
Ngaphezu kwalokho, ngosizo I-Web API ungangeza futhi ususe amanethiwekhi, abasingathi, izindima zokufinyelela, njll. Ama-blades angenziwa ngokwezifiso I-Antivirus, i-Antibot, i-IPS, i-VPN. Kungenzeka futhi ukufaka amalayisensi usebenzisa umyalo run-script. Yonke imiyalo ye-Check Point API ingatholakala lapha .
Hlola i-Point API + Postman
Futhi kulula ukuyisebenzisa Hlola i-Point Web API ngokuhlanganyela . I-Postman inezinguqulo zedeskithophu ze-Windows, Linux kanye ne-MacOS. Ngaphezu kwalokho, kukhona i-plugin ye-Google Chrome. Yilokhu esizokusebenzisa. Okokuqala udinga ukuthola i-Postman ku-Google Chrome Store futhi ufake:
Ngokusebenzisa lolu hlelo lokusebenza, sizokwazi ukukhiqiza izicelo zewebhu ku-Check Point API. Ukuze ungakhumbuli yonke imiyalo ye-API, kungenzeka ukungenisa okuthiwa amaqoqo (izifanekiso), ezivele ziqukethe yonke imiyalo edingekayo:
uzothola iqoqo ngoba R80.10. Ngemva kokungenisa, izifanekiso zomyalo we-API zizotholakala kithi:
Ngokubona kwami, lokhu kulula kakhulu. Ungaqala ngokushesha ukuthuthukisa izinhlelo zokusebenza usebenzisa i-Check Point API.
Iphuzu Lokuhlola + Lifanelekile
Ngingathanda futhi ukuqaphela ukuthi kukhona Ansible ye-CheckPoint API. Imojula ikuvumela ukuthi uphathe ukulungiselelwa, kodwa ayilungele ukuxazulula izinkinga ezingavamile. Ukubhala imibhalo nganoma yiluphi ulimi lokuhlela kunikeza izixazululo ezivumelana nezimo nezilula.
isiphetho
Lapha yilapho sizoqedela khona ukubuyekezwa kwethu okufushane kwe-Check Point API. Ngokubona kwami, lesi sici besilindelwe isikhathi eside futhi sidingeka. Ukuvela kwe-API kuvula amathuba abanzi kakhulu kubo bobabili abaphathi besistimu nabahlanganisi besistimu abasebenza nemikhiqizo ye-Check Point. I-orchestration, i-automation, impendulo ye-SIEM... konke kuyenzeka manje.
PS Izihloko ezengeziwe mayelana njengoba njalo ungayithola kubhulogi lethu noma kubhulogi ethi .
I-PSS Ngemibuzo yobuchwepheshe ehlobene nokusetha Indawo Yokuhlola, ungakwazi
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. , wamukelekile.
Ingabe uhlela ukusebenzisa i-API?
-
70,6%Yebo12
-
23,5%No4
-
5,9%Kakade usebenzisa1
Bangu-17 abasebenzisi abavotile. Abasebenzisi abangu-3 bayenqaba.
Source: www.habr.com