def test_046_dstPortRuleUDP(self): global app, appWF, wanLimitMbit # only use 30% because QoS will limit to 10% and we want to make sure it takes effect # really high levels will actually be limited by the untangle-vm throughput instead of QoS # which can interfere with the test targetSpeedMbit = str(wanLimitMbit*.3)+"M" if remote_control.quickTestsOnly: raise unittest2.SkipTest('Skipping a time consuming test') # We will use iperf server and iperf for this test. wan_IP = uvmContext.networkManager().getFirstWanAddress() iperfAvailable = global_functions.verify_iperf_configuration(wan_IP) if (not iperfAvailable): raise unittest2.SkipTest("Iperf server and/or iperf not available, skipping alternate port forwarding test") # Enabled QoS netsettings = uvmContext.networkManager().getNetworkSettings() nukeRules() appendRule(createBandwidthSingleConditionRule("DST_PORT","5000","SET_PRIORITY",1)) pre_UDP_speed = global_functions.get_udp_download_speed( receiverIP=global_functions.iperfServer, senderIP=remote_control.clientIP, targetRate=targetSpeedMbit ) # Create DST_PORT based rule to limit bandwidth nukeRules() appendRule(createBandwidthSingleConditionRule("DST_PORT","5000","SET_PRIORITY",7)) post_UDP_speed = global_functions.get_udp_download_speed( receiverIP=global_functions.iperfServer, senderIP=remote_control.clientIP, targetRate=targetSpeedMbit ) printResults( pre_UDP_speed, post_UDP_speed, (wanLimitKbit/8)*0.1, pre_UDP_speed*.9 ) assert (post_UDP_speed < pre_UDP_speed*.9)
def test_035_arp_test_wan_offline(self): if remote_control.quickTestsOnly: raise unittest2.SkipTest('Skipping a time consuming test') if (len(indexOfWans) < 2): raise unittest2.SkipTest( "Need at least two WANS for test_035_addArpFailTestForWans") nuke_rules() orig_offline_count = offline_wan_count() netsettings = uvmContext.networkManager().getNetworkSettings() # Add a fake gateway for each of the interfaces for wanIndexTup in indexOfWans: wanIndex = wanIndexTup[0] # set gateway to fake gateway set_interface_field(wanIndex, netsettings, 'v4StaticGateway', '192.168.244.' + str(wanIndex)) set_interface_field(wanIndex, netsettings, 'v4AutoGatewayOverride', '192.168.244.' + str(wanIndex)) build_wan_test(wanIndex, "arp") uvmContext.networkManager().setNetworkSettings(netsettings) wait_for_wan_offline() offline_count = offline_wan_count() uvmContext.networkManager().setNetworkSettings(orig_netsettings) assert (offline_count > orig_offline_count) result = remote_control.is_online() assert (result == 0)
def test_015_qos_nobpass_custom_rules_tcp(self): global app nuke_rules() priority_level = 7 # Record average speed without bandwidth control configured wget_speed_pre = global_functions.get_download_speed() # Create SRC_ADDR based custom Q0S rule to limit bypass QoS netsettings = copy.deepcopy(orig_network_settings_with_qos) netsettings['qosSettings']['qosRules']["list"].append( create_qos_custom_rule("SRC_ADDR", remote_control.clientIP, priority_level)) uvmContext.networkManager().setNetworkSettings(netsettings) # Download file and record the average speed in which the file was download wget_speed_post = global_functions.get_download_speed() # Restore original network settings uvmContext.networkManager().setNetworkSettings( orig_network_settings_with_qos) # Because the session is NOT bypassed, the QoS rule should not take effect print_results(wget_speed_pre, wget_speed_post, wget_speed_pre * 0.1, wget_speed_pre * limited_acceptance_ratio) assert ((wget_speed_pre) and (wget_speed_post)) assert ( not (wget_speed_pre * limited_acceptance_ratio > wget_speed_post))
def test_045_dns_test_wan_offline(self): if remote_control.quickTestsOnly: raise unittest2.SkipTest('Skipping a time consuming test') if (len(indexOfWans) < 2): raise unittest2.SkipTest( "Need at least two WANS for test_045_addDNSFailTestForWans") nuke_rules() orig_offline_count = offline_wan_count() netsettings = uvmContext.networkManager().getNetworkSettings() # Add a fake DNS for each of the interfaces for wanIndexTup in indexOfWans: wanIndex = wanIndexTup[0] # set DNS values to fake DNS set_interface_field(wanIndex, netsettings, 'v4StaticDns1', '192.168.244.' + str(wanIndex)) set_interface_field(wanIndex, netsettings, 'v4StaticDns2', '192.168.244.' + str(wanIndex)) set_interface_field(wanIndex, netsettings, 'v4AutoDns1Override', '192.168.244.' + str(wanIndex)) set_interface_field(wanIndex, netsettings, 'v4AutoDns2Override', '192.168.244.' + str(wanIndex)) uvmContext.networkManager().setNetworkSettings(netsettings) for wanIndexTup in indexOfWans: build_wan_test(wanIndex, "dns") wait_for_wan_offline() offline_count = offline_wan_count() uvmContext.networkManager().setNetworkSettings(orig_netsettings) assert (offline_count > orig_offline_count)
def test_080_routedWanVsNetworkRoute(self): # Test that Networking routes override routed rules in WAN Balancer if (len(indexOfWans) < 2): raise unittest2.SkipTest("Need at least two WANS for test_080_routedWanVsNetworkRoute") netsettings = netsettings = uvmContext.networkManager().getNetworkSettings() nukeWanBalancerRouteRules() setWeightOfWan("all", 0) weightedIndexTup = indexOfWans[0] routedIndexTup = indexOfWans[1] setWeightOfWan(weightedIndexTup[0], 100) # set primary to 100% # configure route in network which uses the second WAN for test.untangle.com routedIP = routedIndexTup[2] routedIPGateway = routedIndexTup[3] appendRouteRule(createRouteRule(ip_address_testdestination,32,routedIPGateway)) result1 = global_functions.get_public_ip_address() print("Routed IP %s and retrieved IP %s" % (routedIP, result1)) # Add WAN route IP to Balancer buildSingleWanRouteRule("DST_ADDR",ip_address_testdestination,weightedIndexTup[0]) result2 = global_functions.get_public_ip_address(extra_options="--no-check-certificate --secure-protocol=auto") print("Routed IP %s and retrieved IP %s" % (routedIP, result2)) uvmContext.networkManager().setNetworkSettings(orig_netsettings) assert (result1 == routedIP) assert (result2 == routedIP)
def test_120_natOneToOneWanDown(self): # create a 1:1 NAT and then down the wan which the NAT is set to # if there are more than one WAN if remote_control.quickTestsOnly: raise unittest2.SkipTest('Skipping a time consuming test') if (len(indexOfWans) < 2): raise unittest2.SkipTest("Need at least two WANS for combination of wan-balancer and wan failover tests") pre_count = global_functions.get_app_metric_value(appWanFailover,"changed") # raise unittest2.SkipTest('Skipping test_120_natOneToOneWanDown as not possible with current network layout ') netsettings = uvmContext.networkManager().getNetworkSettings() nukeWanBalancerRules(); nukeFailoverRules() # create valid failover tests for wanIndexTup in indexOfWans: wanIndex = wanIndexTup[0] buildWanTestRule(wanIndex) for wanIndexTup in indexOfWans: # get the WAN IP address which was source routed wanIndex = wanIndexTup[0] wanIP = wanIndexTup[1] wanExternalIP = wanIndexTup[2] # Add networking route which does not handle re-routing if WAN is down netsettings['natRules']['list']=[] netsettings['natRules']['list'].append(buildNatRule("DST_ADDR",ip_address_testdestination,wanIP)) uvmContext.networkManager().setNetworkSettings(netsettings) # Test that only the routed interface is used 5 times subprocess.check_output("ip route flush cache", shell=True) for x in range(0, 5): result = global_functions.get_public_ip_address() print("NAT 1:1 IP %s External IP %s and retrieved IP %s" % (wanIP, wanExternalIP, result)) assert (result == wanExternalIP) # now down the selected wan and see if traffic flows out the other wan buildWanTestRule(wanIndex, "ping", "192.168.244.1") # Wait for targeted the WAN to be off line before testing that the WAN is off line. timeout = 50000 online = True offlineWanIndex = wanIndex while online and timeout > 0: timeout -= 1 wanStatus = appWanFailover.getWanStatus() for statusInterface in wanStatus['list']: if statusInterface['interfaceId'] == offlineWanIndex: online = statusInterface['online'] time.sleep(10) # Let WAN balancer see that the interface is down subprocess.check_output("ip route flush cache", shell=True) for x in range(0, 5): result = global_functions.get_public_ip_address() print("WAN Down NAT 1:1 IP %s External IP %s and retrieved IP %s" % (wanIP, wanExternalIP, result)) assert (result == wanExternalIP) uvmContext.networkManager().setNetworkSettings(orig_netsettings) nukeFailoverRules() # Check to see if the faceplate counters have incremented. post_count = global_functions.get_app_metric_value(appWanFailover,"changed") assert(pre_count < post_count)
def test_021_shieldOffNmap(self): # enable logging of blocked settings netsettings = uvmContext.networkManager().getNetworkSettings() netsettings['logBlockedSessions'] = True netsettings['logBypassedSessions'] = True uvmContext.networkManager().setNetworkSettings(netsettings) settings = app.getSettings() settings['shieldEnabled'] = False app.setSettings(settings) start_time = datetime.now() result = remote_control.run_command( "nmap -PN -sT -T5 --min-parallelism 15 -p10000-10100 1.2.3.5 2>&1 >/dev/null" ) assert (result == 0) events = global_functions.get_events('Shield', 'Blocked Session Events', None, 1) assert (events != None) found = global_functions.check_events(events.get('list'), 5, 'c_client_addr', remote_control.clientIP, 's_server_addr', '1.2.3.5', min_date=start_time) assert (not found)
def test_070_bypass_udp_block(self): """ UDP blocked but bypassed so UDP should work """ raise unittest2.SkipTest( 'test correctly fails - disabling for 13.0 - NGFW-10144') global app if remote_control.quickTestsOnly: raise unittest2.SkipTest('Skipping a time consuming test') tracerouteExists = remote_control.run_command( "test -x /usr/sbin/traceroute") if tracerouteExists != 0: raise unittest2.SkipTest( "Traceroute app needs to be installed on client") # use IP address instead of hostname to avoid false positive with DNS IPS block. orig_netsettings = uvmContext.networkManager().getNetworkSettings() netsettings = copy.deepcopy(orig_netsettings) netsettings['bypassRules']['list'].append( createBypassConditionRule("SRC_ADDR", remote_control.clientIP)) # netsettings['logBypassedSessions'] = True uvmContext.networkManager().setNetworkSettings(netsettings) test_untangle_com_ip = socket.gethostbyname("test.untangle.com") startTime = datetime.now() rule = self.intrusion_prevention_interface.create_rule(msg="UDP Block", type="udp", block=True, directive="") self.intrusion_prevention_interface.config_request( "save", self.intrusion_prevention_interface.create_patch( "rule", "add", rule)) app.reconfigure() result = remote_control.run_command( "/usr/sbin/traceroute -U -m 3 -p 1234 " + test_untangle_com_ip) uvmContext.networkManager().setNetworkSettings(orig_netsettings) app.forceUpdateStats() events = global_functions.get_events('Intrusion Prevention', 'All Events', None, 500) assert (events != None) found = global_functions.check_events(events.get('list'), 500, "source_addr", remote_control.clientIP, "dest_addr", test_untangle_com_ip, "dest_port", 1234, "protocol", 17, "blocked", True, min_date=startTime) print("found: %s" % str(found)) assert (not found)
def test_110_networkRouteWanDown(self): # create a network route and then down the wan which the route is set to # if there are more than one WAN if remote_control.quickTestsOnly: raise unittest2.SkipTest('Skipping a time consuming test') if (len(indexOfWans) < 2): raise unittest2.SkipTest( "Need at least two WANS for combination of wan-balancer and wan failover tests" ) netsettings = netsettings = uvmContext.networkManager( ).getNetworkSettings() nukeWanBalancerRules() for wanIndexTup in indexOfWans: # Add networking route which does not handle re-routing if WAN is down # get the WAN IP address which was source routed wanIndex = wanIndexTup[0] # Get the external IP of the interface selected. routedIP = wanIndexTup[2] wanGatewayIP = wanIndexTup[3] netsettings['staticRoutes']['list'] = [] netsettings['staticRoutes']['list'].append( createRouteRule(ip_address_testdestination, 32, wanGatewayIP)) uvmContext.networkManager().setNetworkSettings(netsettings) # Test that only the routed interface is used 5 times subprocess.check_output("ip route flush cache", shell=True) for x in range(0, 5): result = remote_control.run_command( "wget --timeout=4 -q -O - \"$@\" test.untangle.com/cgi-bin/myipaddress.py", stdout=True) print "Network Routed IP %s and retrieved IP %s" % (routedIP, result) assert (result == routedIP) # now down the selected wan and see if traffic flows out the other wan buildWanTestRule(wanIndex, "ping", "192.168.244.1") # Wait for targeted the WAN to be off line before testing that the WAN is off line. timeout = 50000 online = True offlineWanIndex = wanIndex while online and timeout > 0: timeout -= 1 wanStatus = appWanFailover.getWanStatus() for statusInterface in wanStatus['list']: if statusInterface['interfaceId'] == offlineWanIndex: online = statusInterface['online'] time.sleep(10) # Let WAN balancer see that the interface is down subprocess.check_output("ip route flush cache", shell=True) for x in range(0, 5): result = global_functions.get_public_ip_address() print "WAN Down Network Routed IP %s and retrieved IP %s" % ( routedIP, result) assert (result == routedIP) nukeFailoverRules() uvmContext.networkManager().setNetworkSettings(orig_netsettings)
def finalTearDown(self): global app, appWanFailover # Restore original settings to return to initial settings if app != None: uvmContext.appManager().destroy( app.getAppSettings()["id"] ) app = None if appWanFailover != None: uvmContext.appManager().destroy( appWanFailover.getAppSettings()["id"] ) appWanFailover = None if orig_netsettings != None: uvmContext.networkManager().setNetworkSettings(orig_netsettings)
def finalTearDown(self): global app, appAD # Restore original settings to return to initial settings # print "orig_netsettings <%s>" % orig_netsettings uvmContext.networkManager().setNetworkSettings(orig_netsettings) if app != None: uvmContext.appManager().destroy(app.getAppSettings()["id"]) app = None if appAD != None: uvmContext.appManager().destroy(appAD.getAppSettings()["id"]) appAD = None
def initialSetUp(self): global app, app_web_filter, orig_network_settings, orig_network_settings_with_qos, orig_network_settings_without_qos, pre_down_speed_kbit, wan_limit_kbit, wan_limit_mbit if (uvmContext.appManager().isInstantiated(self.appName())): raise Exception('app %s already instantiated' % self.appName()) app = uvmContext.appManager().instantiate(self.appName(), default_policy_id) settings = app.getSettings() settings["configured"] = True app.setSettings(settings) app.start() if (uvmContext.appManager().isInstantiated(self.appNameWF())): raise Exception('app %s already instantiated' % self.appNameWF()) app_web_filter = uvmContext.appManager().instantiate( self.appNameWF(), default_policy_id) if orig_network_settings == None: orig_network_settings = uvmContext.networkManager( ).getNetworkSettings() # disable QoS netsettings = copy.deepcopy(orig_network_settings) netsettings['qosSettings']['qosEnabled'] = False uvmContext.networkManager().setNetworkSettings(netsettings) # measure speed pre_down_speed_kbit = global_functions.get_download_speed( download_server="test.untangle.com") # calculate QoS limits wan_limit_kbit = int((pre_down_speed_kbit * 8) * .9) # set max to 100Mbit, so that other limiting factors dont interfere if wan_limit_kbit > 100000: wan_limit_kbit = 100000 wan_limit_mbit = round(wan_limit_kbit / 1024, 2) # turn on QoS and set wan speed limits netsettings = copy.deepcopy(orig_network_settings) netsettings['qosSettings']['qosEnabled'] = True i = 0 for interface in netsettings['interfaces']['list']: if interface['isWan']: netsettings['interfaces']['list'][i][ 'downloadBandwidthKbps'] = wan_limit_kbit netsettings['interfaces']['list'][i][ 'uploadBandwidthKbps'] = wan_limit_kbit i += 1 netsettings['bypassRules']['list'] = [] netsettings['qosSettings']['qosRules']['list'] = [] # These store the "new" defaults with and without QoS orig_network_settings_with_qos = copy.deepcopy(netsettings) orig_network_settings_with_qos['qosSettings']['qosEnabled'] = True orig_network_settings_without_qos = copy.deepcopy(netsettings) orig_network_settings_without_qos['qosSettings']['qosEnabled'] = False uvmContext.networkManager().setNetworkSettings( orig_network_settings_with_qos)
def test_071_bypass_tcp_block(self): """ TCP blocked but bypassed so TCP should work """ raise unittest2.SkipTest( 'test correctly fails - disabling for 13.0 - NGFW-10144') global app if remote_control.quickTestsOnly: raise unittest2.SkipTest('Skipping a time consuming test') orig_netsettings = uvmContext.networkManager().getNetworkSettings() netsettings = copy.deepcopy(orig_netsettings) netsettings['bypassRules']['list'].append( createBypassConditionRule("SRC_ADDR", remote_control.clientIP)) # netsettings['logBypassedSessions'] = True uvmContext.networkManager().setNetworkSettings(netsettings) test_untangle_com_ip = socket.gethostbyname("test.untangle.com") startTime = datetime.now() rule = self.intrusion_prevention_interface.create_rule(msg="TCP Block", type="tcp", block=True, directive="") self.intrusion_prevention_interface.config_request( "save", self.intrusion_prevention_interface.create_patch( "rule", "add", rule)) app.reconfigure() result = remote_control.run_command( "wget -q -O /dev/null -t 1 --timeout=3 http://test.untangle.com/") uvmContext.networkManager().setNetworkSettings(orig_netsettings) app.forceUpdateStats() events = global_functions.get_events('Intrusion Prevention', 'All Events', None, 500) assert (events != None) found = global_functions.check_events(events.get('list'), 500, "source_addr", remote_control.clientIP, "dest_addr", test_untangle_com_ip, "dest_port", 80, "protocol", 6, "blocked", True, min_date=startTime) print("found: %s" % str(found)) assert (not found)
def finalTearDown(self): global orig_netsettings # Restore original settings to return to initial settings # print "orig_netsettings <%s>" % orig_netsettings uvmContext.networkManager().setNetworkSettings(orig_netsettings) settings = app.getSettings() settings['shieldEnabled'] = default_enabled app.setSettings(settings) # sleep so the reputation goes down so it will not interfere with any future tests time.sleep(3)
def test_014_qosBypassCustomRulesUDP(self): global wanLimitMbit targetSpeedMbit = str(wanLimitMbit)+"M" if remote_control.quickTestsOnly: raise unittest2.SkipTest('Skipping a time consuming test') # We will use iperf server and iperf for this test. wan_IP = uvmContext.networkManager().getFirstWanAddress() iperfAvailable = global_functions.verify_iperf_configuration(wan_IP) if (not iperfAvailable): raise unittest2.SkipTest("Iperf server and/or iperf not available") netsettings = uvmContext.networkManager().getNetworkSettings() netsettings['bypassRules']['list'].append( createBypassConditionRule("DST_PORT","5000") ) netsettings['qosSettings']['qosRules']["list"].append( createQoSCustomRule("DST_PORT","5000", 1) ) uvmContext.networkManager().setNetworkSettings( netsettings ) pre_UDP_speed = global_functions.get_udp_download_speed( receiverIP=global_functions.iperfServer, senderIP=remote_control.clientIP, targetRate=targetSpeedMbit ) netsettings['qosSettings']['qosRules']['list'] = [] netsettings['qosSettings']['qosRules']["list"].append( createQoSCustomRule("DST_PORT","5000", 7) ) uvmContext.networkManager().setNetworkSettings( netsettings ) post_UDP_speed = global_functions.get_udp_download_speed( receiverIP=global_functions.iperfServer, senderIP=remote_control.clientIP, targetRate=targetSpeedMbit ) # Restore original network settings uvmContext.networkManager().setNetworkSettings( origNetworkSettingsWithQoS ) printResults( pre_UDP_speed, post_UDP_speed, (wanLimitKbit/8)*0.1, pre_UDP_speed*.9 ) assert (post_UDP_speed < pre_UDP_speed*.9)
def test_040_windowsL2TPlocalDirectory(self): wan_IP = uvmContext.networkManager().getFirstWanAddress() if (l2tpClientHostResult != 0): raise unittest2.SkipTest("l2tpClientHostResult not available") if (not wan_IP in l2tpServerHosts): raise unittest2.SkipTest("No paried L2TP client available") uvmContext.localDirectory().setUsers(createLocalDirectoryUser()) createL2TPconfig("LOCAL_DIRECTORY") timeout = 480 found = False # Send command for Windows VPN connect. vpnServerResult = remote_control.run_command( "rasdial.exe %s %s %s" % (wan_IP, l2tpLocalUser, l2tpLocalPassword), host=l2tpClientHost) while not found and timeout > 0: timeout -= 1 time.sleep(1) virtUsers = app.getVirtualUsers() for user in virtUsers['list']: if user['clientUsername'] == l2tpLocalUser: found = True # Send command for Windows VPN disconnect. vpnServerResult = remote_control.run_command("rasdial.exe %s /d" % (wan_IP), host=l2tpClientHost) uvmContext.localDirectory().setUsers(removeLocalDirectoryUser()) assert (found)
def initialSetUp(self): global app, appWeb, appData, vpnHostResult, vpnClientResult, vpnServerResult if (uvmContext.appManager().isInstantiated(self.appName())): raise Exception('app %s already instantiated' % self.appName()) app = uvmContext.appManager().instantiate(self.appName(), defaultRackId) app.start() appWeb = None if (uvmContext.appManager().isInstantiated(self.appWebName())): raise Exception('app %s already instantiated' % self.appWebName()) appWeb = uvmContext.appManager().instantiate(self.appWebName(), defaultRackId) vpnHostResult = subprocess.call( ["ping", "-W", "5", "-c", "1", global_functions.vpnServerVpnIP], stdout=subprocess.PIPE, stderr=subprocess.PIPE) vpnClientResult = subprocess.call( ["ping", "-W", "5", "-c", "1", global_functions.vpnClientVpnIP], stdout=subprocess.PIPE, stderr=subprocess.PIPE) wanIP = uvmContext.networkManager().getFirstWanAddress() if vpnClientResult == 0: vpnServerResult = remote_control.run_command( "ping -W 5 -c 1 " + wanIP, host=global_functions.vpnClientVpnIP) else: vpnServerResult = 1
def test_050_windowsL2TPRadiusDirectory(self): global appAD wan_IP = uvmContext.networkManager().getFirstWanAddress() if (radiusResult != 0): raise unittest2.SkipTest("No RADIUS server available") if (l2tpClientHostResult != 0): raise unittest2.SkipTest("l2tpClientHostResult not available") if (not wan_IP in l2tpServerHosts): raise unittest2.SkipTest("No paried L2TP client available") # Configure RADIUS settings appAD.setSettings(createRadiusSettings()) createL2TPconfig("RADIUS_SERVER") timeout = 480 found = False vpnServerResult = remote_control.run_command( "rasdial.exe %s %s %s" % (wan_IP, l2tpRadiusUser, l2tpRadiusPassword), host=l2tpClientHost) while not found and timeout > 0: timeout -= 1 time.sleep(1) virtUsers = app.getVirtualUsers() for user in virtUsers['list']: if user['clientUsername'] == l2tpRadiusUser: found = True # Send command for Windows VPN disconnect. vpnServerResult = remote_control.run_command("rasdial.exe %s /d" % (wan_IP), host=l2tpClientHost) assert (found)
def initialSetUp(self): global app, orig_netsettings, ipsecHostResult, l2tpClientHostResult, appAD, appDataRD, radiusResult tunnelUp = False if (uvmContext.appManager().isInstantiated(self.appName())): raise Exception('app %s already instantiated' % self.appName()) app = uvmContext.appManager().instantiate(self.appName(), defaultRackId) if (uvmContext.appManager().isInstantiated(self.appNameAD())): raise unittest2.SkipTest('app %s already instantiated' % self.appName()) if orig_netsettings == None: orig_netsettings = uvmContext.networkManager().getNetworkSettings() appAD = uvmContext.appManager().instantiate(self.appNameAD(), defaultRackId) appDataRD = appAD.getSettings().get('radiusSettings') ipsecHostResult = subprocess.call(["ping", "-c", "1", ipsecHost], stdout=subprocess.PIPE, stderr=subprocess.PIPE) l2tpClientHostResult = subprocess.call( ["ping", "-c", "1", l2tpClientHost], stdout=subprocess.PIPE, stderr=subprocess.PIPE) radiusResult = subprocess.call( ["ping", "-c", "1", global_functions.radiusServer], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
def initialSetUp(self): global app, appWF, origNetworkSettings, origNetworkSettingsWithQoS, origNetworkSettingsWithoutQoS, preDownSpeedKbsec, wanLimitKbit, wanLimitMbit if (uvmContext.appManager().isInstantiated(self.appName())): raise Exception('app %s already instantiated' % self.appName()) app = uvmContext.appManager().instantiate(self.appName(), defaultRackId) settings = app.getSettings() settings["configured"] = True app.setSettings(settings) app.start() if (uvmContext.appManager().isInstantiated(self.appNameWF())): raise Exception('app %s already instantiated' % self.appNameWF()) appWF = uvmContext.appManager().instantiate(self.appNameWF(), defaultRackId) if origNetworkSettings == None: origNetworkSettings = uvmContext.networkManager().getNetworkSettings() # disable QoS netsettings = copy.deepcopy( origNetworkSettings ) netsettings['qosSettings']['qosEnabled'] = False uvmContext.networkManager().setNetworkSettings( netsettings ) # measure speed preDownSpeedKbsec = global_functions.get_download_speed() # calculate QoS limits wanLimitKbit = int((preDownSpeedKbsec*8) * .9) # set max to 100Mbit, so that other limiting factors dont interfere if wanLimitKbit > 100000: wanLimitKbit = 100000 wanLimitMbit = round(wanLimitKbit/1024,2) # turn on QoS and set wan speed limits netsettings = copy.deepcopy( origNetworkSettings ) netsettings['qosSettings']['qosEnabled'] = True i = 0 for interface in netsettings['interfaces']['list']: if interface['isWan']: netsettings['interfaces']['list'][i]['downloadBandwidthKbps']=wanLimitKbit netsettings['interfaces']['list'][i]['uploadBandwidthKbps']=wanLimitKbit i += 1 netsettings['bypassRules']['list'] = [] netsettings['qosSettings']['qosRules']['list'] = [] # These store the "new" defaults with and without QoS origNetworkSettingsWithQoS = copy.deepcopy( netsettings ) origNetworkSettingsWithQoS['qosSettings']['qosEnabled'] = True origNetworkSettingsWithoutQoS = copy.deepcopy( netsettings ) origNetworkSettingsWithoutQoS['qosSettings']['qosEnabled'] = False uvmContext.networkManager().setNetworkSettings(origNetworkSettingsWithQoS)
def initialSetUp(self): global app,default_enabled, orig_netsettings if orig_netsettings == None: orig_netsettings = uvmContext.networkManager().getNetworkSettings() if (not uvmContext.appManager().isInstantiated(self.appName())): raise Exception('app %s already instantiated' % self.appName()) app = uvmContext.appManager().app(self.appName()) default_enabled = app.getSettings()['shieldEnabled']
def test_110_hosts_file_manager(self): # get the hostname and settings from the network manager fullName = uvmContext.networkManager().getFullyQualifiedHostname() netsettings = uvmContext.networkManager().getNetworkSettings() print "Checking HostsFileManager records for " + fullName # perform a DNS lookup for our hostname against every non-WAN interface # and make sure the value returned matches the address of the interface for interface in netsettings['interfaces']['list']: if interface['isWan'] == False and interface['configType'] == "Addressed": if 'v4StaticAddress' in interface: netaddr = interface['v4StaticAddress'] if netaddr: print "Checking hostname resolution for %s" % netaddr output = subprocess.check_output("dig +short @" + netaddr + " " + fullName, shell=True) result = output.strip() assert(result == netaddr)
def test_030_restartNetworkVerifyIpsecTunnel(self): # save a setting in networking and test ipsec tunnel is set connected. global tunnelUp if (not tunnelUp): raise unittest2.SkipTest( "Test test_020_createIpsecTunnel success required ") netsettings = uvmContext.networkManager().getNetworkSettings() uvmContext.networkManager().setNetworkSettings(netsettings) time.sleep(10) # wait for networking to restart ipsecHostLANResult = remote_control.run_command( "wget -q -O /dev/null --no-check-certificate -4 -t 2 --timeout=5 https://%s/" % ipsecHostLANIP) ipsecPcLanResult = remote_control.run_command("ping -c 1 %s" % ipsecPcLANIP) # delete tunnel nukeIPSecTunnels() tunnelUp = False assert (ipsecHostLANResult == 0) assert (ipsecPcLanResult == 0)
def initialSetUp(self): global indexOfWans, appData, app, orig_netsettings orig_netsettings = uvmContext.networkManager().getNetworkSettings() if (uvmContext.appManager().isInstantiated(self.appName())): raise Exception('app %s already instantiated' % self.appName()) app = uvmContext.appManager().instantiate(self.appName(), defaultRackId) app.start() appData = app.getSettings() indexOfWans = global_functions.get_wan_tuples()
def test_100_wanBalancerRouteWanDown(self): # create a source route and then down the wan which the route is set to # if there are more than one WAN if remote_control.quickTestsOnly: raise unittest2.SkipTest('Skipping a time consuming test') if (len(index_of_wans) < 2): raise unittest2.SkipTest( "Need at least two WANS for combination of wan-balancer and wan failover tests" ) if same_wan_network(index_of_wans): raise unittest2.SkipTest("WANS on same network") netsettings = uvmContext.networkManager().getNetworkSettings() for wanIndexTup in index_of_wans: wanIndex = wanIndexTup[0] nuke_wan_balancer_rules() # Get the external IP of the interface selected. routedIP = wanIndexTup[2] # WAN index for route rules is from networking list. Balance is zero build_single_wan_route_rule("DST_ADDR", ip_address_testdestination, wanIndex) # Test that only the routed interface is used 5 times2 subprocess.check_output("ip route flush cache", shell=True) for x in range(0, 5): result = remote_control.run_command( "wget --timeout=4 -q -O - \"$@\" test.untangle.com/cgi-bin/myipaddress.py", stdout=True) print("WAN Balancer Routed IP %s and retrieved IP %s" % (routedIP, result)) assert (result == routedIP) # now down the selected wan and see if traffic flows out the other wan build_wan_test_rule(wanIndex, "ping", "192.168.244.1") # Wait for targeted the WAN to be off line before testing that the WAN is off line. timeout = 50000 online = True offlineWanIndex = wanIndex while online and timeout > 0: timeout -= 1 wanStatus = app_wan_failover.getWanStatus() for statusInterface in wanStatus['list']: if statusInterface['interfaceId'] == offlineWanIndex: online = statusInterface['online'] time.sleep(10) # Let WAN balancer see that the interface is down subprocess.check_output("ip route flush cache", shell=True) for x in range(0, 5): result = global_functions.get_public_ip_address() print( "WAN Down WAN Balancer Routed IP %s and retrieved IP %s" % (routedIP, result)) assert (result != routedIP) nuke_wan_balancer_rules() nuke_wan_failover_rules()
def test_013_qosBypassCustomRules(self): global app nukeRules() priority_level = 7 # Record average speed without bandwidth control configured wget_speed_pre = global_functions.get_download_speed() # Create SRC_ADDR based custom Q0S rule to limit bypass QoS netsettings = copy.deepcopy( origNetworkSettingsWithQoS ) netsettings['qosSettings']['qosRules']["list"].append( createQoSCustomRule("SRC_ADDR",remote_control.clientIP,priority_level) ) netsettings['bypassRules']['list'].append( createBypassConditionRule("SRC_ADDR",remote_control.clientIP) ) uvmContext.networkManager().setNetworkSettings( netsettings ) # Download file and record the average speed in which the file was download wget_speed_post = global_functions.get_download_speed() # Restore original network settings uvmContext.networkManager().setNetworkSettings( origNetworkSettingsWithQoS ) printResults( wget_speed_pre, wget_speed_post, wget_speed_pre*0.1, wget_speed_pre*limitedAcceptanceRatio ) assert ((wget_speed_pre) and (wget_speed_post)) assert (wget_speed_pre * limitedAcceptanceRatio > wget_speed_post)
def initialSetUp(self): global indexOfWans, app, appData, appWanFailover, appDataWanFailover, orig_netsettings, ip_address_testdestination if (uvmContext.appManager().isInstantiated(self.appName())): raise Exception('app %s already instantiated' % self.appName()) app = uvmContext.appManager().instantiate(self.appName(), default_policy_id) app.start() appData = app.getSettings() if (uvmContext.appManager().isInstantiated(self.appNameWanFailover())): raise Exception('app %s already instantiated' % self.appNameWanFailover()) appWanFailover = uvmContext.appManager().instantiate(self.appNameWanFailover(), default_policy_id) appWanFailover.start() appWanFailoverData = appWanFailover.getSettings() indexOfWans = global_functions.get_wan_tuples() orig_netsettings = uvmContext.networkManager().getNetworkSettings() ip_address_testdestination = socket.gethostbyname("test.untangle.com")
class ReportsTests(unittest2.TestCase): @staticmethod def appName(): return "reports" @staticmethod def webAppName(): return "web-filter" @staticmethod def vendorName(): return "Untangle" @staticmethod def initialSetUp(self): global app, orig_settings, test_email_address, can_relay, can_syslog, syslog_server_host, web_app if (uvmContext.appManager().isInstantiated(self.appName())): # report app is normally installed. # print("App %s already installed" % self.appName()) # raise Exception('app %s already instantiated' % self.appName()) app = uvmContext.appManager().app(self.appName()) else: app = uvmContext.appManager().instantiate(self.appName(), default_policy_id) reportSettings = app.getSettings() orig_settings = copy.deepcopy(reportSettings) if (uvmContext.appManager().isInstantiated(self.webAppName())): raise Exception('app %s already instantiated' % self.webAppName()) web_app = uvmContext.appManager().instantiate(self.webAppName(), default_policy_id) # Skip checking relaying is possible if we have determined it as true on previous test. try: can_relay = global_functions.send_test_email() except Exception, e: can_relay = False if can_syslog == None: can_syslog = False wan_IP = uvmContext.networkManager().getFirstWanAddress() syslog_server_host = global_functions.find_syslog_server(wan_IP) if syslog_server_host: portResult = remote_control.run_command( "sudo lsof -i :514", host=syslog_server_host) if portResult == 0: can_syslog = True
def initialSetUp(self): global app, appWeb, appDC, tunnelApp, appData, vpnHostResult, vpnClientResult, vpnServerResult, vpnUserPassHostResult, adResult, radiusResult if (uvmContext.appManager().isInstantiated(self.appName())): raise Exception('app %s already instantiated' % self.appName()) app = uvmContext.appManager().instantiate(self.appName(), default_policy_id) app.start() appWeb = None appDC = None tunnelApp = None if (uvmContext.appManager().isInstantiated(self.appWebName())): raise Exception('app %s already instantiated' % self.appWebName()) appWeb = uvmContext.appManager().instantiate(self.appWebName(), default_policy_id) vpnHostResult = subprocess.call( ["ping", "-W", "5", "-c", "1", global_functions.VPN_SERVER_IP], stdout=subprocess.PIPE, stderr=subprocess.PIPE) vpnUserPassHostResult = subprocess.call([ "ping", "-W", "5", "-c", "1", global_functions.VPN_SERVER_USER_PASS_IP ], stdout=subprocess.PIPE, stderr=subprocess.PIPE) vpnClientResult = subprocess.call( ["ping", "-W", "5", "-c", "1", global_functions.VPN_CLIENT_IP], stdout=subprocess.PIPE, stderr=subprocess.PIPE) wanIP = uvmContext.networkManager().getFirstWanAddress() if vpnClientResult == 0: vpnServerResult = remote_control.run_command( "ping -W 5 -c 1 " + wanIP, host=global_functions.VPN_CLIENT_IP) else: vpnServerResult = 1 adResult = subprocess.call( ["ping", "-c", "1", global_functions.AD_SERVER], stdout=subprocess.PIPE, stderr=subprocess.PIPE) radiusResult = subprocess.call( ["ping", "-c", "1", global_functions.RADIUS_SERVER], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
def test_060_createIpsecTunnelHostname(self): if (ipsecHostResult != 0): raise unittest2.SkipTest("No paried IPSec server available") pre_events_enabled = global_functions.get_app_metric_value( app, "enabled") wan_IP = uvmContext.networkManager().getFirstWanAddress() pairMatchNotFound = True listOfPairs = "" addDNSRule(createDNSRule(ipsecHost, ipsecHostname)) # verify L2TP is off NGFW-7212 ipsecSettings = app.getSettings() ipsecSettings["vpnflag"] = False app.setSettings(ipsecSettings) for hostConfig in configuredHostIPs: print hostConfig[0] listOfPairs += str(hostConfig[0]) + ", " if (wan_IP in hostConfig[0]): appendTunnel( addIPSecTunnel(ipsecHostname, ipsecHostLAN, hostConfig[0], hostConfig[1], hostConfig[2])) pairMatchNotFound = False if (pairMatchNotFound): raise unittest2.SkipTest("IPsec test only configed for IPs %s" % (listOfPairs)) timeout = 10 ipsecHostLANResult = 1 while (ipsecHostLANResult != 0 and timeout > 0): timeout -= 1 time.sleep(1) # ping the remote LAN to see if the IPsec tunnel is connected. ipsecHostLANResult = remote_control.run_command( "wget -q -O /dev/null --no-check-certificate -4 -t 2 --timeout=5 https://%s/" % ipsecHostLANIP) post_events_enabled = global_functions.get_app_metric_value( app, "enabled") nukeIPSecTunnels() assert (ipsecHostLANResult == 0) # Check to see if the faceplate counters have incremented. assert (pre_events_enabled < post_events_enabled)