def test_update_or_create(self):
host = Host.update_or_create(name='autohost', address='1.1.1.1')
self.assertEqual(host.name, 'autohost')
self.assertEqual(host.address, '1.1.1.1')
host = Host.update_or_create(name='autohost', address='2.2.2.2')
self.assertEqual(host.name, 'autohost')
self.assertEqual(host.address, '2.2.2.2')
host.delete()
network = Network.update_or_create(
filter_key={'ipv4_network': '192.168.10.0/24'},
name='somenetwork',
ipv4_network='192.168.10.0/24')
self.assertEqual(network.name, 'somenetwork')
self.assertEqual(network.ipv4_network, '192.168.10.0/24')
network = Network.update_or_create(
filter_key={'ipv4_network': '192.168.10.0/24'},
name='someothernetwork',
ipv4_network='192.168.11.0/24')
self.assertEqual(network.name, 'someothernetwork')
self.assertEqual(network.ipv4_network, '192.168.11.0/24')
network.delete()
def test_network_ipv6(self):
network = Network.create(name='mixednetwork', ipv6_network='fc00::/7')
self.assertTrue(network.href.startswith('http'))
network = Network('mixednetwork')
self.assertEqual(network.ipv6_network, 'fc00::/7')
network.delete()
def testGroup(self):
# Member not href
with self.assertRaises(CreateElementFailed):
Group.create('foogroup', ['test'], 'comment')
# Same as above
with self.assertRaises(CreateElementFailed):
Group.create('foogroup', ['172.18.1.80'])
# Empty group
group = Group.create('foogroup')
self.assertTrue(group.href.startswith('http'))
# Get context
group = Group('foogroup')
# Members
Host.create('groupmember', '1.1.1.1')
Network.create(name='anetwork', ipv4_network='1.1.1.0/24')
self.assertIsNone(group.update_members(members=[Host('groupmember')]))
# ETag in cache matches server after update
etag = search.element_by_href_as_smcresult(group.href).etag
self.assertEqual(group.etag, etag)
# Get the members back and verify
for member in group.obtain_members():
self.assertIn(member.name, ['groupmember'])
# Check Host has a reference to group
refs = Host('groupmember').referenced_by
self.assertEqual(refs[0].name, 'foogroup')
# Add second member and append
group.update_members(members=[Network('anetwork')], append_lists=True)
members = group.obtain_members()
self.assertTrue(len(members) == 2)
etag = search.element_by_href_as_smcresult(group.href).etag
self.assertEqual(group.etag, etag)
# Overwrite (test sending in as a href)
group.update_members(members=[Host('groupmember').href],
append_lists=False)
members = group.obtain_members()
self.assertTrue(len(members) == 1)
self.assertEqual(members[0].name, 'groupmember')
etag = search.element_by_href_as_smcresult(group.href).etag
self.assertEqual(group.etag, etag)
# Delete all members
group.empty_members()
self.assertTrue(len(group.obtain_members()) == 0)
group.rename('group2')
# Delete
Host('groupmember').delete()
group = Group('group2')
group.delete()
def smc_configuration(engine_name, public_ip, private_ip, public_network):
session_login()
vpn_name, tunnel_1, tunnel_2 = get_vpn(public_ip)
network_name = f'awsnetwork-{public_network}'
try:
Network.create(name=network_name, ipv4_network=public_network)
except CreateElementFailed as err:
logging.info(err)
l3fw_policy('transit_gw_policy')
policy = firewall_rule('transit_gw_policy')
add_tunnel_to_engine(engine_name, '2000', tunnel_1.get('outside_ip'),
tunnel_1.get('inside_ip_cidr'), 'tunnelA')
add_tunnel_to_engine(engine_name, '2001', tunnel_2.get('outside_ip'),
tunnel_2.get('inside_ip_cidr'), 'tunnelB')
try:
remote_gateway_first = external_gateway(
name=f'{vpn_name}-{1}',
endpoint_name='endpoint_1',
address=tunnel_1.get('outside_ip'),
network_name=network_name
) # site-to-site vpn connection VPN ID include number at the end
except CreateElementFailed as err:
logging.info(err)
try:
remote_gateway_second = external_gateway(
name=f'{vpn_name}-{2}',
endpoint_name='endpoint_2',
address=tunnel_2.get('outside_ip'),
network_name=network_name
) # site-to-site vpn connection VPN ID include number at the end
except CreateElementFailed as err:
logging.info(err)
bgp_elements(
64512, vpn_name, tunnel_1.get('gateway'), tunnel_2.get('gateway'),
engine_name
) # transit gateway : Amazon ASN inside ip is from tunnel of vpn - the /30
add_dynamic_routing_antispoofing(engine_name)
vpn_endpoint = Engine(engine_name).vpn_endpoint.get_contains(private_ip)
vpn_endpoint.update(enabled=True)
vpn_create_ipsec(engine_name, 2000, tunnel_1.get('pre_shared_key'),
vpn_name, 1, remote_gateway_first)
vpn_create_ipsec(engine_name, 2001, tunnel_2.get('pre_shared_key'),
vpn_name, 2, remote_gateway_second)
policy.upload(engine_name)
session.logout()
def remove_smc_engines(engine_name, public_ip, private_ip):
session_login()
MASK = '255.255.255.0'
engine = Engine(engine_name)
routes = RouteVPN.objects.all()
gateways_to_delete = []
for route in list(routes):
route_name = route.name
if engine_name in route_name:
RouteVPN().get(route_name).delete()
gateways_to_delete.append((route_name.split(engine_name)[-1])[1:])
engine.delete()
for gw in gateways_to_delete:
ExternalGateway.get(gw).delete()
public_base = MyIPv4(public_ip) & MyIPv4(MASK)
public_network = string_to_ip(str(public_base) + '/24')
Network.get(f'awsnetwork-{public_network}').delete()
session.logout()
def bgp_elements(aws_ASN, vgw_id, tunnel_inside_ip_1, tunnel_inside_ip_2,
engine_name):
engine = Engine(engine_name)
try:
AutonomousSystem().create(name='aws-as',
as_number=aws_ASN,
comment='aws VGW ASN')
except CreateElementFailed as err:
logging.info(err)
try:
AutonomousSystem().create(name='ngfw-as',
as_number=65000,
comment='NGFW ASN')
except CreateElementFailed as err:
logging.info(err)
try:
ExternalBGPPeer().create(
name=f"peer-{vgw_id}-1",
comment="aws bgp peering element for tunnel_1",
neighbor_as=AutonomousSystem("aws-as"),
neighbor_ip=tunnel_inside_ip_1)
except CreateElementFailed as err:
logging.info(err)
try:
ExternalBGPPeer().create(
name=f"peer-{vgw_id}-2",
comment="aws bgp peering element for tunnel_2",
neighbor_as=AutonomousSystem("aws-as"),
neighbor_ip=tunnel_inside_ip_2)
except CreateElementFailed as err:
logging.info(err)
engine.dynamic_routing.bgp.enable(
autonomous_system=AutonomousSystem(name='ngfw-as'),
announced_networks=[Network('Any network')])
try:
BGPPeering.get('ngfw-bgp-peering')
except ElementNotFound as err:
BGPPeering.create(name='ngfw-bgp-peering') # ngfw-bgp-peering
Engine(engine_name).routing.get(2000).add_bgp_peering(
BGPPeering('ngfw-bgp-peering'), ExternalBGPPeer(f'peer-{vgw_id}-1'))
Engine(engine_name).routing.get(2001).add_bgp_peering(
BGPPeering('ngfw-bgp-peering'), ExternalBGPPeer(f'peer-{vgw_id}-2'))
engine.update()
def external_gateway(name, address, endpoint_name, network_name, status=True):
external_endpoint = [{
"address": address,
"enabled": True,
"name": endpoint_name
}]
gw = ExternalGateway.update_or_create(name,
external_endpoint=external_endpoint,
trust_all_cas=True,
with_status=status)
gw[0].vpn_site.create(name=f'remotesite-{endpoint_name}-{address}',
site_element=[Network(network_name)])
remote_gateway = TunnelEndpoint.create_ipsec_endpoint(gw[0])
return remote_gateway
def test_bgp_profile(self):
"""
Test BGP Profiles
"""
Network.create(name='bgpnet', ipv4_network='1.1.1.0/24')
profile = BGPProfile.create(name='myprofile',
port=300,
external_distance=100,
internal_distance=150,
local_distance=200,
subnet_distance=[(Network('bgpnet'), 100)])
self.assertTrue(profile.href.startswith('http'))
myprofile = BGPProfile('myprofile')
self.assertEqual(myprofile.port, 300)
self.assertEqual(myprofile.internal_distance, 150)
self.assertEqual(myprofile.external_distance, 100)
self.assertEqual(myprofile.local_distance, 200)
for subnet in myprofile.subnet_distance:
self.assertEqual(subnet[0].name, 'bgpnet')
self.assertEqual(subnet[1], 100)
myprofile.delete()
Network('bgpnet').delete()
def test_layer3_engine_methods(self):
# Test each of the top level engine methods
engine = Layer3Firewall.create(name='smcpython-fw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
self.assertIsInstance(engine, Engine)
if session.api_version >= 6.1:
test = Engine('smcpython-fw')
self.assertTrue(test.type == 'single_fw')
self.assertTrue(test.href.startswith('http'))
self.assertTrue(test.version is None)
self.assertTrue(isinstance(test.nodes, list))
# Modify an attribute, i.e. antivirus:
self.assertTrue(
engine.modify_attribute(
antivirus={
'antivirus_enabled': False,
'antivirus_update': 'daily',
'antivirus_update_day': 'mo',
'antivirus_update_time': 21600000,
'virus_log_level': 'none',
'virus_mirror': 'update.nai.com/Products/CommonUpdater'
}).startswith('http'))
# Test Fail load using wildcard
Host.create('testengine', '1.1.1.1')
Host.create('testengine2', '2.2.2.2')
with self.assertRaises(ElementNotFound):
foo = Engine('testengine*')
foo.href
Host('testengine').delete()
Host('testengine2').delete()
# Engine type
self.assertEqual(engine.type, 'single_fw')
# Get the node type
self.assertEqual(engine.nodes[0].type, 'firewall_node')
# Iterate nodes
for node in engine.nodes:
self.assertIsInstance(repr(node), str)
self.assertIsInstance(node, Node)
# Get permissions, only for SMC API >- 6.1
if session.api_version >= 6.1:
for x in engine.permissions:
self.assertIsInstance(x, AccessControlList)
else:
self.assertRaises(UnsupportedEngineFeature,
lambda: engine.permissions())
# Get aliases
aliases = engine.alias_resolving()
for alias in aliases:
self.assertIsInstance(alias, Alias)
self.assertIsNotNone(alias.name)
self.assertTrue(alias.href.startswith('http'))
self.assertIsInstance(alias.resolved_value, list)
# Resolve the IP address alias for this engine
alias = Alias('$$ Interface ID 0.ip')
self.assertIn('1.1.1.1', alias.resolve('smcpython-fw'))
# Blacklist, will fail as engine is not live or connected to SMC
self.assertRaises(EngineCommandFailed,
lambda: engine.blacklist('1.1.1.1/32', '0.0.0.0/0'))
# Blacklist flush, same as above
self.assertRaises(EngineCommandFailed,
lambda: engine.blacklist_flush())
# Add route, valid
result = engine.add_route('1.1.1.254', '192.168.1.0/24')
self.assertIsNone(result)
# Add route, invalid, msg attribute set
self.assertRaises(EngineCommandFailed,
lambda: engine.add_route('2.2.2.2', '10.10.10.0/22'))
# Get routes, will catch SMCConnectionException because the engine doesnt
# exist and will be unresponsive. It should catch and return empty list
# A response is sent back in 6.1.2, but should be none
if is_min_required_smc_version('6.1.2'):
self.assertRaises(EngineCommandFailed,
lambda: engine.routing_monitoring)
else: # Timeout in version 6.1.1 or earlier
self.assertRaises(EngineCommandFailed,
lambda: engine.routing_monitoring)
# Get antispoofing info
Network.create(name='network-10.1.2.0/24', ipv4_network='10.1.2.0/24')
spoofing = engine.antispoofing
self.assertIsInstance(spoofing, Antispoofing)
for entry in engine.antispoofing.all():
if entry.name == 'Interface 0':
self.assertEqual(entry.level, 'interface')
self.assertEqual(entry.validity, 'enable')
entry.add(Network('network-10.1.2.0/24'))
# Look for our network
for entry in engine.antispoofing.all():
if entry.name == 'Interface 0':
for network in entry.all():
if network.name == 'network-10.1.2.0/24':
self.assertEqual(network.ip, '10.1.2.0/24')
self.assertTrue(
engine.internal_gateway.name.startswith('smcpython-fw'))
# Get internal gateway
for gw in engine.internal_gateway.internal_endpoint.all():
self.assertEqual(gw.name, '1.1.1.1') # matches interface IP
# Get vpn sites
for sites in engine.internal_gateway.vpn_site.all():
self.assertTrue(
sites.name.startswith('Automatic Site for smcpython-fw'))
# Gen certificate for internal gateway, fail because engine can't gen
# cert
v = VPNCertificate('myorg', 'foo.org')
self.assertRaises(
CertificateError,
lambda: engine.internal_gateway.generate_certificate(v))
# Gateway certificate request, not implemented as of 0.3.7
self.assertTrue(
len(engine.internal_gateway.gateway_certificate()) == 0)
# Gateway certificate, not implemented as of 0.3.7
self.assertTrue(
len(engine.internal_gateway.gateway_certificate_request()) == 0)
# Get a virtual resource on non supported device type
self.assertRaises(UnsupportedEngineFeature,
lambda: engine.virtual_resource)
# Get interfaces
for intf in engine.interface.all():
self.assertEqual(intf.name, 'Interface 0')
# Get virtual physical interface, not supported on layer 3 engine
self.assertRaises(UnsupportedInterfaceType,
lambda: engine.virtual_physical_interface)
# Get modem interfaces
self.assertTrue(len(engine.modem_interface) == 0)
# Get adsl interfaces
self.assertTrue(len(engine.adsl_interface) == 0)
# Get wireless interface
self.assertTrue(len(engine.wireless_interface) == 0)
# Get switch interface
self.assertTrue(len(engine.switch_physical_interface) == 0)
# Get tunnel interfaces
engine.tunnel_interface.add_single_node_interface(
tunnel_id=1000, address='2.2.2.2', network_value='2.2.2.0/24')
intf = engine.interface.get(1000)
self.assertIsInstance(intf, TunnelInterface)
# Query tunnel interfaces
for intf in engine.tunnel_interface.all():
self.assertEqual(intf.name, 'Tunnel Interface 1000')
# Refresh policy, fails as engine not ready
self.assertRaises(TaskRunFailed, lambda: engine.refresh())
# Upload, policy doesn't exist
self.assertRaises(TaskRunFailed, lambda: engine.upload(policy='foo'))
# Generate snapshot #TODO: Bug
with self.assertRaises(EngineCommandFailed):
engine.generate_snapshot()
# See snapshots. Policy hasnt been pushed yet so they wont exist
self.assertTrue(len(list(engine.snapshots)) == 0)
# Delete
engine.delete()
Network('network-10.1.2.0/24').delete()
def testNetwork(self):
# Invalid host bits
with self.assertRaises(CreateElementFailed):
Network.create('foonetwork', '12.1.1.1/24', 'comment')
Network.create('foonetwork',
ipv4_network='12.1.1.0/24',
ipv6_network='2001:db8:abcd:12::/64')
network = Network('foonetwork')
self.assertEqual(network.ipv4_network, '12.1.1.0/24')
self.assertEqual(network.ipv6_network, '2001:db8:abcd:12::/64')
network.rename('foonetwork2')
network = Network('foonetwork2')
network.delete()
# Not CIDR format
with self.assertRaises(CreateElementFailed):
Network.create('foonetwork', '12.1.1.0/255.255.255.0')
cnameV4 = cname + '-v4'
cnameV6 = cname + '-v6'
cnameNAT = cname + '-NAT'
#################
#Host NAT Element erstellen
#################
Host.create(name=cnameNAT, address=NATIP, comment='Erstellt via Script')
#################
#Network IPv6 Element erstellen
#################
Network.create(name=cnameV6, ipv6_network=IPV6Network, comment='Erstellt via Script')
#################
#IPv6 Sub Policy erstellen
#################
p = FirewallIPv6SubPolicy.create(name=cnameV6)
p.fw_ipv6_access_rules.create_rule_section(name='Outbound')
p.fw_ipv6_access_rules.create(name='Default Outgoing', sources=[Network(cnameV6)], destinations='any', services=[TCPService('SSH'), TCPService('HTTP'), TCPService('HTTPS'), UDPService('NTP (UDP)'), ServiceGroup('DNS')], action='allow', after='Outbound')
p.fw_ipv6_access_rules.create_rule_section(name='Inbound', add_pos=30)
#################
#IPv4 Sub Policy erstellen
#################
q = FirewallSubPolicy.create(name=cnameV4)
def test_get_or_create_element(self):
# Will be created anew
host = Host.get_or_create(filter_key={'address': '123.123.123.123'},
name='kookoo',
address='123.123.123.123')
self.assertEqual(host.name, 'kookoo')
self.assertEqual(host.data.get('address'), '123.123.123.123')
# Will be retrieved
host = Host.get_or_create(filter_key={'address': '123.123.123.123'},
name='fooboo',
address='123.123.123.123')
self.assertEqual(host.name, 'kookoo')
host.delete()
# Test the two types using meta characters
network = Network.get_or_create(
filter_key={'ipv4_network': '172.18.33.0/24'},
name='mynetwork',
ipv4_network='172.18.33.0/24')
self.assertEqual(network.name, 'mynetwork')
self.assertEqual(network.ipv4_network, '172.18.33.0/24')
network = Network.get_or_create(
filter_key={'ipv4_network': '172.18.33.0/24'},
name='mynetwork',
ipv4_network='172.18.33.0/24')
self.assertEqual(network.name, 'mynetwork')
network.delete()
# Address Range
iprange = AddressRange.get_or_create(
filter_key={'ip_range': '1.1.1.1-1.1.1.10'},
name='myrange',
ip_range='1.1.1.1-1.1.1.10')
self.assertEqual(iprange.name, 'myrange')
self.assertEqual(iprange.data.get('ip_range'), '1.1.1.1-1.1.1.10')
iprange = AddressRange.get_or_create(
filter_key={'ip_range': '1.1.1.1-1.1.1.10'},
name='myrange',
ip_range='1.1.1.1-1.1.1.10')
self.assertEqual(iprange.name, 'myrange')
iprange.delete()
vpn = VPNPolicy.get_or_create(name='somepolicy')
self.assertEqual(vpn.name, 'somepolicy')
tcp = TCPService.get_or_create(filter_key={'min_dst_port': 8989},
name='myservice',
min_dst_port=8989)
self.assertIsInstance(tcp, TCPService)
self.assertEqual(tcp.name, 'myservice')
tcp = TCPService.get_or_create(filter_key={'min_dst_port': 8989},
name='newservice',
min_dst_port=8989)
self.assertEqual(tcp.name, 'newservice')
host = Host.get_or_create(name='grace', address='12.12.12.12')
self.assertEqual(host.name, 'grace')
# Already exists
host = Host.get_or_create(name='grace', address='12.12.12.12')
self.assertEqual(host.name, 'grace')
def test_multilink_member(self):
Network.create(name='comcast', ipv4_network='10.10.0.0/16')
Router.create(name='nexthop', address='10.10.1.254')
StaticNetlink.create(name='isp1',
gateway=Router('nexthop'),
network=[Network('comcast')],
probe_address=['10.10.0.1'])
member1 = multilink_member(StaticNetlink('isp1'),
nat_range='10.10.0.1-10.10.0.1')
self.assertEqual(member1['ip_range'], '10.10.0.1-10.10.0.1')
self.assertEqual(member1['netlink_ref'], StaticNetlink('isp1').href)
self.assertEqual(member1['netlink_role'], 'active')
self.assertEqual(member1['network_ref'], Network('comcast').href)
# Add a second member to the static netlink
n = StaticNetlink('isp1')
Network.create('att', ipv4_network='192.168.1.0/24')
n.add_network(Network('att'))
# creating a multilink member fails when there are more than one
# networks defined and one has not been specified
with self.assertRaises(MissingRequiredInput):
multilink_member(StaticNetlink('isp1'),
nat_range='10.10.0.1-10.10.0.1')
# Now provide that specific network
member1 = multilink_member(StaticNetlink('isp1'),
nat_range='192.168.1.1-192.168.1.1',
netlink_network=Network('att'))
self.assertEqual(member1['ip_range'], '192.168.1.1-192.168.1.1')
self.assertEqual(member1['netlink_ref'], StaticNetlink('isp1').href)
self.assertEqual(member1['netlink_role'], 'active')
self.assertEqual(member1['network_ref'], Network('att').href)
m = Multilink.create(name='testmultilink', multilink_members=[member1])
self.assertTrue(m.href.startswith('http'))
Multilink('testmultilink').delete()
StaticNetlink('isp1').delete()
Network('comcast').delete()
Network('att').delete()
Router('nexthop').delete()
def test_create_engine_add_bgp_peering(self):
engine = Layer3Firewall.create(name='myfw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
engine.physical_interface.add_single_node_interface(
interface_id=0, address='5.5.5.5', network_value='5.5.5.0/24')
Network.create(name='bgpnet', ipv4_network='2.2.2.0/24')
AutonomousSystem.create(name='aws_as', as_number=20000)
engine.enable_bgp(autonomous_system=AutonomousSystem('aws_as'),
announced_networks=[Network('bgpnet')])
BGPPeering.create(name='mypeer')
ExternalBGPPeer.create(name='neighbor',
neighbor_as_ref=AutonomousSystem('aws_as'),
neighbor_ip='3.3.3.3')
# Only add to a single network
for route in engine.routing.all():
if route.nicid == '0':
route.add_bgp_peering(BGPPeering('mypeer'),
ExternalBGPPeer('neighbor'),
network='5.5.5.0/24')
# Traverse the nested routing tree..
for route in engine.routing.all():
if route.nicid == '0':
for bgp_peering in route.all():
if bgp_peering.ip == '5.5.5.0/24':
for peering in bgp_peering.all(): # BGPPeering
self.assertEqual(peering.name, 'mypeer')
for external_peer in peering.all(
): # ExternalBGPPeer
self.assertEqual(external_peer.name,
'neighbor')
engine.delete()
# Add BGP to all interfaces
engine = Layer3Firewall.create(name='myfw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
engine.physical_interface.add_single_node_interface(
interface_id=0, address='5.5.5.5', network_value='5.5.5.0/24')
# Only add to a single network
interface = engine.routing.get(0)
# for route in engine.routing.all():
# if route.nicid == '0':
interface.add_bgp_peering(BGPPeering('mypeer'),
ExternalBGPPeer('neighbor'))
for route in engine.routing.all():
if route.nicid == '0':
for bgp_peering in route.all():
for peering in bgp_peering.all():
self.assertEqual(peering.name, 'mypeer') # BGPPeering
for external_peer in peering.all():
# ExternalBGPPeer
self.assertEqual(external_peer.name, 'neighbor')
engine.delete()
virtual_resource_name='Customer {}'.format(vr))
# Router object used for default route
router = Router.update_or_create(name='southbound',
address='10.1.2.254',
comment='virtual engine gateway')
# Now create the Virtual Firewalls for each customer and set interface information
# VirtualEngine interface numbering starts at interface 1!
for vr in range(1, 9):
virtual_engine = Layer3VirtualEngine.create(
name='Customer {}'.format(vr),
master_engine='master',
virtual_resource='Customer {}'.format(vr),
outgoing_intf=1,
interfaces=[{
'interface_id': 1,
'address': '10.1.1.1',
'network_value': '10.1.1.0/24',
'zone_ref': ''
}, {
'interface_id': 2,
'address': '10.1.2.1',
'network_value': '10.1.2.0/24',
'zone_ref': ''
}])
# Add default route
interface_1 = virtual_engine.routing.get(2)
interface_1.add_static_route(gateway=Router('southbound'),
destination=[Network('Any network')])
"""
external_gateway = ExternalGateway.create('mygw')
"""
An external endpoint is defined within the external gateway and specifies the
IP address settings and other VPN specific settings for this endpoint
After creating, add to the external gateway
"""
external_gateway.external_endpoint.create(name='myendpoint',
address='2.2.2.2')
"""
Lastly, 'sites' need to be configured that identify the network/s on the
other end of the VPN. You can either use pre-existing network elements, or create
new ones as in the example below.
Then add this site to the external gateway
"""
network = Network.create('remote-network', '1.1.1.0/24').href
external_gateway.vpn_site.create('remote-site', [network])
"""
Retrieve the internal gateway for SMC managed engine by loading the
engine configuration. The internal gateway reference is located as
engine.internal_gateway.href
"""
engine = Engine('testfw').load()
"""
Create the VPN Policy
"""
vpn = PolicyVPN.create(name='myVPN', nat=True)
print vpn.name, vpn.vpn_profile
vpn.open()
def test_add_external_gateway_endpoint_and_vpnsite(self):
for gw in list(
Search('external_gateway').objects.filter(
'smcpython-externalgw')):
gw.delete()
result = ExternalGateway.create(name='smcpython-externalgw')
self.assertIsInstance(result, ExternalGateway)
e = ExternalGateway('smcpython-externalgw')
self.assertTrue(e.trust_all_cas)
self.assertIsInstance(e.gateway_profile, GatewayProfile)
# For vpn site
network = Network.create('py4.4.4.0', '4.4.4.0/24')
e = ExternalGateway('smcpython-externalgw')
# for x in list(Search('external_gateway').objects.filter('smcpython-externalgw')):
# self.assertIsNotNone(x.href) #have meta
res = e.external_endpoint.create('myendpoint',
'1.1.1.1') # create endpoint
self.assertTrue(res.startswith('http'))
# Invalid endpoint
with self.assertRaises(CreateElementFailed):
e.external_endpoint.create('myendpoint', '1.1.1.1a')
# Fail test_external gateway
with self.assertRaises(CreateElementFailed):
ExternalGateway.create('smcpython-externalgw')
site = e.vpn_site.create('pythonsite', [network]) # Create vpn site
self.assertTrue(site.startswith('http'))
with self.assertRaises(CreateElementFailed):
e.vpn_site.create('poosite', ['http://1.1.1.1'])
# Add an additional network to an existing VPN Site
network = Network.create('pythonnetwork', '23.23.23.0/24')
gw = ExternalGateway('smcpython-externalgw')
for sites in gw.vpn_site.all():
self.assertEqual(sites.name, 'pythonsite')
self.assertTrue(sites.site_element)
sites.add_site_element([network]) # Add a network to site list
for network in sites.site_element:
self.assertIn(network.name, ['pythonnetwork', 'py4.4.4.0'])
internal_gateway = sites.gateway
self.assertEqual(internal_gateway.name, 'smcpython-externalgw')
e = ExternalGateway('smcpython-externalgw')
for endpoint in e.external_endpoint:
self.assertFalse(endpoint.force_nat_t) # Disabled
endpoint.enable_disable_force_nat_t() # Enable
self.assertTrue(endpoint.force_nat_t)
endpoint.enable_disable_force_nat_t() # Disable again
self.assertFalse(endpoint.force_nat_t) # Disabled
self.assertTrue(endpoint.enabled) # Enabled
endpoint.enable_disable() # Disable
self.assertFalse(endpoint.enabled)
endpoint.enable_disable() # Enable again
self.assertTrue(endpoint.enabled)
gw.delete()
for network in list(Search('network').objects.all()):
if network.name == 'py4.4.4.0' or network.name == 'pythonnetwork':
network.delete()
def add_dynamic_routing_antispoofing(engine_name):
engine = Engine(engine_name)
engine.dynamic_routing.update_antispoofing([Network('Any network')])
engine.update()
master_engine="master",
virtual_resource="Customer {}".format(vr),
outgoing_intf=1,
interfaces=[
{
"interface_id": 1,
"address": "10.1.1.1",
"network_value": "10.1.1.0/24",
"zone_ref": "",
},
{
"interface_id": 2,
"address": "10.1.2.1",
"network_value": "10.1.2.0/24",
"zone_ref": "",
},
],
)
# Add default route
interface_1 = virtual_engine.routing.get(2)
interface_1.add_static_route(gateway=Router("southbound"),
destination=[Network("Any network")])
print("Virtual Engine created:{}".format(virtual_engine))
finally:
for vr in range(1, 9):
name = "Customer {}".format(vr)
Layer3VirtualEngine(name).delete()
MasterEngine("master").delete()
def engine_creation(engine_name, private_ip, public_ip, protected_network,
router_ip, private_network):
session.login(url=get_url(),
api_key=get_api_key(),
api_version=get_api_version(),
verify=pem_dir)
profile = VPNProfile.get_or_create(name=PROFILE_NAME)
profile.update(capabilities={
'ike_v1': True,
'aes128_for_ike': True,
'aggressive_mode': False,
'sha1_for_ike': True,
'dh_group_2_for_ike': True,
'pre_shared_key_for_ike': True,
'rsa_signature_for_ike': False,
'main_mode': True,
'esp_for_ipsec': True,
'aes128_for_ipsec': True,
'sha1_for_ipsec': True,
'sa_per_net': True,
'pfs_dh_group_2_for_ipsec': True,
'rsa_signature_for_ike': True,
'vpn_client_sa_per_net': True
},
sa_life_time=28800,
tunnel_life_time_seconds=3600,
hybrid_authentication_for_mobile_vpn=True,
trust_all_cas=True)
# we should wait for the engine to be present
engine = None
while not engine:
try:
engine = Engine(engine_name)
except smc.api.exceptions.ElementNotFound as e:
print(e)
print(engine)
print("retrying in 3 sec")
time.sleep(3)
interface = engine.interface.get(0)
# set_stream_logger(log_level=logging.DEBUG)
for sub in interface.sub_interfaces():
sub.data['dynamic'] = False
sub.data['address'] = private_ip
if 'dynamic_index' in sub.data:
del sub.data['dynamic_index']
sub.data['network_value'] = private_network
sub.update()
interface.update()
ROUTER_NAME = "aws_default_router-{}".format(router_ip)
if Router.objects.filter(ROUTER_NAME):
router = Router(ROUTER_NAME)
else:
router = Router.create(ROUTER_NAME, router_ip)
# update routing
interface0 = engine.routing.get(0)
for network in interface0:
if network.name == 'Network (IPv4)':
print("{} should be deleted".format(network))
network.delete()
if network.name == "network-{}".format(private_network):
print("{} should be updated".format(network))
interface0.add_static_route(gateway=router,
destination=[Network('Any network')])
# we need to add custom policy routing so advertised BGP routes are not used when
# we source nat the traffic
engine.data['policy_route'].append(
dict(source=private_ip + '/32',
destination=protected_network,
gateway_ip=router_ip))
engine.update()
# print(interface0.as_tree())
ca = engine.contact_addresses.get(0, interface_ip=private_ip)
ca.add_contact_address(public_ip, location='Default')
session.logout()
def build_vpn_smc(smc_engine_name, gateway_profile, tunnel_config,
external_network_address_space, internal_vpn_endpoint_ip,
internal_vpn_address_space):
engine = Engine(smc_engine_name)
try:
tunnel_if = engine.tunnel_interface.get(1000)
except:
tunnel_if = None
print("Interface doesn't exist, creating it now...")
if tunnel_if:
print("tunnel interface already exists")
else:
engine.tunnel_interface.add_layer3_interface(
interface_id=1000,
address=internal_vpn_endpoint_ip,
network_value=internal_vpn_address_space)
# Enable VPN on the 'Internal Endpoint' interface
vpn_endpoint = engine.vpn_endpoint.get_contains(tunnel_config[2])
vpn_endpoint.update(enabled=True)
tunnel_if = engine.tunnel_interface.get(1000)
local_endpoint = TunnelEndpoint.create_ipsec_endpoint(
engine.vpn.internal_gateway, tunnel_if)
# Create the remote side network elements
Network.get_or_create(name=smc_engine_name + ' Azure-vpn-internal-net',
ipv4_network=external_network_address_space)
# TODO add gatewayProfile name to config and default to 'Default (all capabilities)' if empty
if gateway_profile:
print("Using gateway profie: " + gateway_profile)
gw_profile = GatewayProfile(gateway_profile)
else:
print("Using gateway profie: Default (all capabilities)")
gw_profile = GatewayProfile("Default (all capabilities)")
gw = ExternalGateway.get_or_create(name=smc_engine_name + ' Azure-vpn-gw',
gateway_profile=gw_profile)
try:
gw.external_endpoint.create(name=smc_engine_name +
' Azure-vpn-endpoint-1',
address=tunnel_config[0][0])
gw.external_endpoint.create(name=smc_engine_name +
' Azure-vpn-endpoint-2',
address=tunnel_config[0][1])
except:
print("Endpoints already exist")
try:
gw.vpn_site.create(name=smc_engine_name + ' Azure-vpn-site',
site_element=[
Network(smc_engine_name +
' Azure-vpn-internal-net')
])
except:
print("Azure-vpn-site already exists")
remote_endpoint = TunnelEndpoint.create_ipsec_endpoint(gw)
try:
ipsec_tunnel = RouteVPN().get(name=smc_engine_name + ' Azure-VPN')
except:
print("IPSEC tunnels don't exist, creating them now...")
ipsec_tunnel = None
if ipsec_tunnel:
print("IPSEC tunnel already exists")
else:
RouteVPN.create_ipsec_tunnel(name=smc_engine_name + ' Azure-VPN',
preshared_key=tunnel_config[1],
local_endpoint=local_endpoint,
remote_endpoint=remote_endpoint)
# Python Base Import
from smc import session
from smc.elements.netlink import StaticNetlink, MultilinkMember, Multilink
from smc.elements.network import Network, Router
from smc.vpn.elements import ConnectionType
from smc_info import *
if __name__ == '__main__':
session.login(url=SMC_URL, api_key=API_KEY, verify=False, timeout=120, api_version=API_VERSION)
print("session OK")
try:
# create multi link
# get first connection type
connection_type = list(ConnectionType.objects.all())[0]
network1 = Network("net-10.1.16.0/24")
network2 = Network("net-172.31.16.0/24")
router1 = Router("Etisalat Dubai Router")
router2 = Router("Du Dubai Router")
snl1 = StaticNetlink.create(name="SNL_Premier-ISP",
provider_name="ISP1",
output_speed=40000,
input_speed=40000,
probe_address=["10.1.16.1"],
network=[network1],
gateway=router1,
connection_type=connection_type,
)
snl2 = StaticNetlink.create(name="SNL_Second-ISP",
provider_name="ISP2",
output_speed=50000,
"""
external_gateway = ExternalGateway.create("mygw")
"""
An external endpoint is defined within the external gateway and specifies the
IP address settings and other VPN specific settings for this endpoint
After creating, add to the external gateway
"""
external_gateway.external_endpoint.create(name="myendpoint",
address="2.2.2.2")
"""
Lastly, 'sites' need to be configured that identify the network/s on the
other end of the VPN. You can either use pre-existing network elements, or create
new ones as in the example below.
Then add this site to the external gateway
"""
network = Network.create("remote-network", "1.1.1.0/24").href
external_gateway.vpn_site.create("remote-site", [network])
"""
Retrieve the internal gateway for SMC managed engine by loading the
engine configuration. The internal gateway reference is located as
engine.internal_gateway.href
"""
engine = Engine("testfw").load()
"""
Create the VPN Policy
"""
vpn = PolicyVPN.create(name="myVPN", nat=True)
print(vpn.name, vpn.vpn_profile)
vpn.open()
"""
An external endpoint is defined within the external gateway and specifies the
IP address settings and other VPN specific settings for this endpoint
After creating, add to the external gateway
"""
external_gateway.external_endpoint.create(name='myendpoint',
address='2.2.2.2')
"""
Lastly, 'sites' need to be configured that identify the network/s on the
other end of the VPN. You can either use pre-existing network elements, or create
new ones as in the example below.
Then add this site to the external gateway
"""
network = Network.create('remote-network', '1.1.1.0/24').href
external_gateway.vpn_site.create('remote-site', [network])
"""
Retrieve the internal gateway for SMC managed engine by loading the
engine configuration. The internal gateway reference is located as
engine.internal_gateway.href
"""
engine = Engine('testfw').load()
"""
Create the VPN Policy
"""
vpn = PolicyVPN.create(name='myVPN', nat=True)
print vpn.name, vpn.vpn_profile
