Nginesiqiniseko sokuthi wonke umuntu owake wasebenza naye
“Isimangaliso” senzeka muva nje. Ngokukhishwa kwenguqulo entsha IGaia R80 kwamenyezelwa ithuba Ukusetshenziswa kwe-API, okuvula amathuba abanzi ezilungiselelo zokuzenzakalela, ukuphatha, ukuqapha, njll. Manje ungakwazi:
- dala izinto;
- engeza noma hlela uhlu lokufinyelela;
- vumela/cisha ama-blade;
- lungisa izixhumanisi zenethiwekhi;
- faka izinqubomgomo;
- nokuningi okuningi.
Uma ngikhuluma iqiniso, angiqondi ukuthi lezi zindaba zadlula kanjani kuHabr. Kulesi sihloko sizochaza kafushane indlela yokusebenzisa i-API futhi sinikeze izibonelo ezimbalwa ezisebenzayo. Izilungiselelo ze-CheckPoint zisebenzisa imibhalo.
Ngingathanda ukwenza ukubhuka ngokushesha ukuthi i-API isetshenziselwe iseva Yokuphatha kuphela. Labo. Kusenzima ukuphatha amasango ngaphandle kweseva Yokuphatha.
Ubani ongasebenzisa le API ngokomgomo?
- Abaphathi besistimu abafuna ukwenza lula noma ukwenza ngokuzenzakalelayo imisebenzi yokuhlela Indawo Yokuhlola;
- Izinkampani ezifuna ukuhlanganisa i-Check Point nezinye izixazululo (izinhlelo ze-virtualization, izinhlelo zamathikithi, izinhlelo zokuphatha ukumisa, njll.);
- Izihlanganisi zesistimu ezifuna ukulinganisa izilungiselelo noma ukudala imikhiqizo eyengeziwe ehlobene ne-Check Point.
Isikimu esijwayelekile
Ngakho-ke, ake sicabange uhlelo olujwayelekile nge-Check Point:
Njengenjwayelo sinesango (SG), iseva yokuphatha (SMS) kanye nekhonsoli yomqondisi (I-SmartConsole). Kulokhu, inqubo evamile yokumisa isango ibonakala kanje:
Labo. Okokuqala udinga ukugijima kukhompyutha yomlawuli I-SmartConsole, esixhuma ngayo kuseva Yokuphatha (SMS). Izilungiselelo zokuphepha zenziwa nge-SMS, bese zisetshenziswa kuphela (faka inqubomgomo) ukuya esangweni (SG).
Lapho usebenzisa Management API, singakwazi ukweqa iphuzu lokuqala (yethula i-SmartConsole) futhi sisebenzise Imiyalo ye-API ngqo kwisiphakeli Sokuphatha (i-SMS).
Izindlela zokusebenzisa i-API
Kunezindlela ezine eziyinhloko zokuhlela ukucushwa usebenzisa i-API:
1) Ukusebenzisa insiza ye-mgmt_cli
Isibonelo - # mgmt_cli engeza igama lomsingathi1 ip-address 192.168.2.100
Lo myalo uqhutshwa ku-Management Server (SMS) umugqa womyalo. Ngicabanga ukuthi i-syntax yomyalo icacile - i-host1 idalwe nekheli elithi 192.168.2.100.
2) Faka imiyalo ye-API nge-clish (kwimodi yochwepheshe)
Ngokuyisisekelo, okudingeka ukwenze ukungena kumugqa womyalo (ukungena ngemvume kwe-mgmt) ngaphansi kwe-akhawunti esetshenziswa uma uxhuma nge-SmartConsole (noma i-akhawunti yezimpande). Bese ungangena Imiyalo ye-API (Kulokhu asikho isidingo sokusebenzisa insiza ngaphambi komyalo ngamunye mgmt_cli). Ungakha okugcwele Imibhalo ye-BASH. Isibonelo seskripthi esidalwa umsingathi:
Isikripthi se-Bash
#!/bin/bash
main() {
clear
#LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
mgmt_cli login --root true > id_add_host.txt
on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
#READ HOST NAME
printf "Enter host name:n"
read -e host_name
on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
#READ IP ADDRESS
printf "nEnter host IP address:n"
read -e ip
on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
#CREATE HOST
printf "Creating new host: $host_name with IP address: $ipn"
new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
on_error_print_and_exit "Error: Failed to create host object. n$new_host_response"
#PUBLISH THE CHANGES
printf "nPublishing the changesn"
mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
on_error_print_and_exit "Error: Failed to publish the changes."
#LOGOUT
logout
printf "Done.n"
}
logout(){
mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
if [ $? -ne 0 ]; then
handle_error "$1"
fi
}
handle_error(){
printf "n$1n" #print error message
mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
logout
exit 1
}
on_empty_input_print_and_exit(){
if [ -z "$1" ]; then
printf "$2n" #print error message
logout
exit 0
fi
}
# Script starts here. Call function "main".
main
Uma unentshisekelo, ungabuka ividiyo ehambisanayo:
3) Nge-SmartConsole ngokuvula iwindi le-CLI
Odinga ukukwenza ukuvula iwindi CLI ngqo kusuka I-SmartConsole, njengoba kuboniswe esithombeni esingezansi.
Kuleli windi, ungaqala ngokushesha ukufaka imiyalo ye-API.
4) Amasevisi Wewebhu. Sebenzisa isicelo se-HTTPS Post (REST API)
Ngokombono wethu, lena ingenye yezindlela ezithembisayo, ngoba ikuvumela ukuthi "uwakhe" zonke izinhlelo zokusebenza ngokusekelwe ukuphathwa kweseva yokuphatha (ngiyaxolisa nge-tautology). Ngezansi sizobheka le ndlela ngokuningiliziwe okwengeziwe.
Ukufingqa:
- I-API + cli kufanelekile kakhulu kubantu abajwayele i-Cisco;
- I-API + igobolondo ngokusebenzisa imibhalo kanye nokwenza imisebenzi evamile;
- I-REST API okuzenzakalelayo.
Inika amandla i-API
Ngokuzenzakalelayo, i-API inikwe amandla eziphakelini zokuphatha ezingaphezu kuka-4GB we-RAM nokulungiselelwa okuzimele okungaphezu kuka-8GB we-RAM. Ungahlola isimo usebenzisa umyalo: isimo se-api
Uma kuvela ukuthi i-api ivaliwe, kulula kakhulu ukuyinika amandla nge-SmartConsole: Phatha & Izilungiselelo > Ama-blades > I-API Yokuphatha > Izilungiselelo Ezithuthukisiwe
Bese ushicilela (Shicilela) shintsha bese usebenzisa umyalo api qala kabusha.
Izicelo zewebhu + Python
Ukuze wenze imiyalo ye-API, ungasebenzisa izicelo zeWebhu usebenzisa Python kanye nemitapo yolwazi izicelo, json. Ngokuvamile, ukwakheka kwesicelo sewebhu siqukethe izingxenye ezintathu:
1)Ikheli
(https://<managemenet server>:<port>/web_api/<command>)
2) Izihloko ze-HTTP
content-Type: application/json
x-chkp-sid: <session ID token as returned by the login command>
3) Cela ukukhokhelwa
Umbhalo ngefomethi ye-JSON equkethe amapharamitha ahlukene
Isibonelo sokubiza imiyalo ehlukahlukene:
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
if sid == “”:
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
return r.json()
'xxx.xxx.xxx.xxx' -> Ip address GAIA
Nansi imisebenzi embalwa evamile ovame ukuhlangana nayo lapho ulawula Iphoyinti Lokuhlola.
1) Isibonelo sokugunyazwa nemisebenzi yokuphuma:
Iskripthi
payload = {‘user’: ‘your_user’, ‘password’ : ‘your_password’}
response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
return response["sid"]
response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
return response["message"]
2) Ukuvula ama-blades nokusetha inethiwekhi:
Iskripthi
new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
[{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
{'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))
3) Ukushintsha imithetho ye-firewall:
Iskripthi
new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))
4) Ukwengeza isendlalelo sohlelo lokusebenza:
Iskripthi
add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))
5) Shicilela bese usetha inqubomgomo, hlola ukwenziwa komyalo (i-id yomsebenzi):
Iskripthi
publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))
6) Engeza umsingathi:
Iskripthi
new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))
7) Engeza inkambu Yokuvimbela Usongo:
Iskripthi
set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))
8) Buka uhlu lwamaseshini
Iskripthi
new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))
9) Dala iphrofayela entsha:
Iskripthi
add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
"confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
"ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
"overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
{"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))
10) Shintsha isenzo sesiginesha ye-IPS:
Iskripthi
set_threat_protection={
"name" : "3Com Network Supervisor Directory Traversal",
"overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
{ "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))
11) Engeza isevisi yakho:
Iskripthi
add_service_udp={ "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))
12) Engeza isigaba, isayithi noma iqembu:
Iskripthi
add_application_site_category={ "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={ "name" : "Dota2", "primary-category" : "Valve", "description" : "Dotka",
"url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " ,
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))
Ngaphezu kwalokho, ngosizo I-Web API ungangeza futhi ususe amanethiwekhi, abasingathi, izindima zokufinyelela, njll. Ama-blades angenziwa ngokwezifiso I-Antivirus, i-Antibot, i-IPS, i-VPN. Kungenzeka futhi ukufaka amalayisensi usebenzisa umyalo run-script. Yonke imiyalo ye-Check Point API ingatholakala lapha
Hlola i-Point API + Postman
Futhi kulula ukuyisebenzisa Hlola i-Point Web API ngokuhlanganyela
Ngokusebenzisa lolu hlelo lokusebenza, sizokwazi ukukhiqiza izicelo zewebhu ku-Check Point API. Ukuze ungakhumbuli yonke imiyalo ye-API, kungenzeka ukungenisa okuthiwa amaqoqo (izifanekiso), ezivele ziqukethe yonke imiyalo edingekayo:
Ngokubona kwami, lokhu kulula kakhulu. Ungaqala ngokushesha ukuthuthukisa izinhlelo zokusebenza usebenzisa i-Check Point API.
Iphuzu Lokuhlola + Lifanelekile
Ngingathanda futhi ukuqaphela ukuthi kukhona Ansible
isiphetho
Lapha yilapho sizoqedela khona ukubuyekezwa kwethu okufushane kwe-Check Point API. Ngokubona kwami, lesi sici besilindelwe isikhathi eside futhi sidingeka. Ukuvela kwe-API kuvula amathuba abanzi kakhulu kubo bobabili abaphathi besistimu nabahlanganisi besistimu abasebenza nemikhiqizo ye-Check Point. I-orchestration, i-automation, impendulo ye-SIEM... konke kuyenzeka manje.
PS Izihloko ezengeziwe mayelana
I-PSS Ngemibuzo yobuchwepheshe ehlobene nokusetha Indawo Yokuhlola, ungakwazi
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo.
Ingabe uhlela ukusebenzisa i-API?
-
70,6%Yebo12
-
23,5%No4
-
5,9%Kakade usebenzisa1
Bangu-17 abasebenzisi abavotile. Abasebenzisi abangu-3 bayenqaba.
Source: www.habr.com