def create_single_fw():
"""
Create single layer 3 firewall for this example
"""
Layer3Firewall.create(name="testfw",
mgmt_ip="192.168.10.1",
mgmt_network="192.168.10.0/24")
def create_single_fw():
"""
Create single layer 3 firewall for this example
"""
Layer3Firewall.create(name='testfw',
mgmt_ip='192.168.10.1',
mgmt_network='192.168.10.0/24')
def create_single_fw():
"""
Create single layer 3 firewall for this example
"""
Layer3Firewall.create(name='testfw',
mgmt_ip='192.168.10.1',
mgmt_network='192.168.10.0/24')
def test_ospf_unicast(self):
for profile in list(Search('ospfv2_interface_settings').objects.all()):
if profile.name.startswith('Default OSPF'):
interface_profile = profile.href
area = OSPFArea.create(name='smcpython-area',
interface_settings_ref=interface_profile,
area_id=0)
self.assertTrue(area.href.startswith('http'))
area = OSPFArea('smcpython-area')
engine = Layer3Firewall.create(name='smcpython-ospf',
mgmt_ip='172.18.1.30',
mgmt_network='172.18.1.0/24',
domain_server_address=['8.8.8.8'],
enable_ospf=True)
self.assertIsInstance(engine, Engine)
host = Host.create(name='smcpython-ospf-user', address='23.23.23.23')
# Get routing resources
for interface in engine.routing.all():
if interface.name == 'Interface 0':
result = interface.add_ospf_area(area,
communication_mode='unicast',
unicast_ref=host)
self.assertIsNone(result)
engine.delete()
area.delete()
Host('smcpython-ospf-user').delete()
def test_create_unicode_name_firewall(self):
fw = Layer3Firewall.create(name='ĂĂĂĂrdvark36',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
self.assertEquals(fw.name, u'ĂĂĂĂrdvark36',
'unicode fw names do not match')
for fw in list(Search('single_fw').objects.all()):
if fw.name == u'ĂĂĂĂrdvark36': # Required b/c non-ascii. Otherwise use from futures import literals
fw.delete()
def __call__(self, interfaces, default_gateway, location_name):
"""
Create NGFW
:param list interfaces: dict of interface information
:return: self
"""
# Location can be None if SMC is not behind NAT
location = self.add_location(location_name)
for interface in interfaces:
address = interface.get('address')
interface_id = interface.get('interface_id')
network_value = interface.get('network_value')
if interface_id == 0:
mgmt_ip = address
engine = Layer3Firewall.create(
self.name,
mgmt_ip=address,
mgmt_network=network_value,
domain_server_address=self.dns,
reverse_connection=self.reverse_connection,
default_nat=self.default_nat,
enable_antivirus=self.antivirus,
enable_gti=self.gti,
location_ref=location)
engine.add_route(default_gateway, '0.0.0.0/0')
else:
engine.physical_interface.add_single_node_interface(
interface_id=interface_id,
address=address,
network_value=network_value)
logger.info('Created NGFW successfully')
self.engine = engine
# Enable VPN on external interface if policy provided
if self.vpn:
try:
vpn_policy = self.vpn['vpn_policy']
for intf in self.engine.internal_gateway.internal_endpoint.all(
):
if intf.name == mgmt_ip:
intf.modify_attribute(enabled=True, nat_t=True)
role = self.vpn.get('vpn_role') if self.vpn.get(
'vpn_role') else 'central'
VPNPolicy.add_internal_gateway_to_vpn(
self.engine.internal_gateway.href, vpn_policy, role)
except KeyError:
pass
def single_fw(name, mgmt_ip, mgmt_network, mgmt_interface='0', dns=None):
""" Create single firewall with a single management interface
:param name: name of single layer 2 fw
:param mgmt_ip: ip address for management layer 3 interface
:param mgmt_network: netmask for management network
:param mgmt_interface: interface id for l3 mgmt
:param dns: dns servers for management interface (optional)
:return: :py:class:`smc.core.engine.Engine`
"""
result = Layer3Firewall.create(name,
mgmt_ip,
mgmt_network,
mgmt_interface=mgmt_interface,
domain_server_address=dns)
return result
def test_rename_engine(self):
# Test renaming the engine
engine = Layer3Firewall.create(name='smc-python',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
self.assertIsInstance(engine, Engine)
engine.rename('smc-python2')
self.assertEqual(engine.name, 'smc-python2')
for node in engine.nodes:
self.assertTrue(node.name.startswith('smc-python2'))
self.assertTrue(engine.internal_gateway.name.startswith('smc-python2'))
engine.delete()
def setUp(self):
session.login(url='http://172.18.1.150:8082',
api_key='EiGpKD4QxlLJ25dbBEp20001',
verify=True)
try:
global engine
engine = Engine(running_firewall)
except LoadEngineFailed:
print("Running firewall engine NOT defined. ")
raise
global engine_not_initialized
engine_not_initialized = Layer3Firewall.create(
'smc-python-api-nodetest',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
def test_create_layer3_firewall_and_add_ospf(self):
for profile in list(Search('ospfv2_interface_settings').objects.all()):
if profile.name.startswith('Default OSPF'):
interface_profile = profile.href
area = OSPFArea.create(name='smcpython-area',
interface_settings_ref=interface_profile,
area_id=0)
self.assertTrue(area.href.startswith('http'))
area = OSPFArea('smcpython-area')
engine = Layer3Firewall.create(name='smcpython-ospf',
mgmt_ip='172.18.1.30',
mgmt_network='172.18.1.0/24',
domain_server_address=['8.8.8.8'],
enable_ospf=True)
self.assertIsInstance(engine, Engine)
# Add IPv6 to make sure OSPF is skipped for that interface
engine.physical_interface.add_single_node_interface(
interface_id=0,
address='2001:db8:85a3::8a2e:370:7334',
network_value='2001:db8:85a3::/64')
# Get routing resources
for interface in engine.routing.all():
# if interface.name == 'Interface 0':
if interface.nicid == '0':
# Apply OSPF 'area0' to interface 0
interface.add_ospf_area(area)
for networks in interface.all(): # Traverse networks
self.assertIn(networks.name, [
'network-172.18.1.0/24', 'network-2001:db8:85a3::/64'
])
self.assertTrue(networks.level == 'network')
# Add only to specified network
for interface in engine.routing.all():
if interface.name == 'Interface 0':
interface.add_ospf_area(area, network='172.18.1.0/24')
engine.delete()
area.delete()
def test_policy_upload(self):
# This will just sit in the task queue because the engine will not be initialized, but still tests
# that policy upload from policy itself triggers properly
policy = FirewallPolicy.create(name='testpolicy',
template='Firewall Inspection Template')
engine = Layer3Firewall.create(name='temppolicy',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
#self.assertRaises(TaskRunFailed, lambda: policy.upload(engine.name))
task = policy.upload(engine.name)
self.assertTrue(task.follower.startswith('http'))
time.sleep(5)
# Force failure, engine does not exist
self.assertRaises(TaskRunFailed, lambda: policy.upload('bogusfw'))
# Abort queued task then delete policy
for tasks in task_history():
if tasks.follower == task.follower and tasks.in_progress:
print("Abort called")
result = tasks.abort()
# 204 delete successful, 400 if the operation is already being
# aborted
self.assertIsNone(result)
status = task_status(task.follower)
self.assertIsNotNone(status.in_progress)
self.assertIsNone(tasks.foo) # Invalid task attribute
engine.delete()
# Try except required for SMC <6.2.1. BUG filed where abort timing will
# fail on uninitialized engine after policy push
try:
policy.delete()
except DeleteElementFailed:
pass
def test_modify_rules(self):
policy = FirewallPolicy.create(name='myfoopolicy',
template='Firewall Inspection Template')
Host.create(name='foobar', address='1.1.1.1')
host = Host('foobar')
# No action, default to Allow, position set, but no rules so added
# normally
policy.fw_ipv4_access_rules.create(name='myrule',
sources=[host],
add_pos=10)
for rule in policy.fw_ipv4_access_rules.all():
if rule.name == 'myrule':
self.assertEqual(rule.action.action, 'allow')
self.assertIsInstance(rule.authentication_options,
AuthenticationOptions)
self.assertIsInstance(rule.options, LogOptions)
self.assertFalse(rule.is_disabled)
self.assertEqual(rule.parent_policy.name, 'myfoopolicy')
self.assertTrue(rule.destinations.is_none)
self.assertTrue(rule.services.is_none)
self.assertFalse(rule.services.all())
for source in rule.sources.all():
self.assertEqual(source.name, 'foobar')
rule.disable()
rule.comment = 'mycomment'
rule.services.set_any()
rule.save()
self.assertEqual(rule.comment, 'mycomment')
self.assertTrue(rule.is_disabled)
rule.enable()
rule.save()
self.assertFalse(rule.is_disabled)
self.assertTrue(rule.services.is_any)
rule.delete()
Host('foobar').delete()
policy.fw_ipv4_access_rules.create(name='myrule',
sources='any',
destinations=[Host('badhost')],
action=Action())
# Will be returned as type "Element"
engine = Layer3Firewall.create(name='tmpfw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
Host.create(name='boo', address='12.12.12.12')
for rule in policy.fw_ipv4_access_rules.all():
if rule.name == 'myrule':
self.assertTrue(rule.destinations.is_none)
self.assertTrue(rule.action.action == 'allow')
self.assertTrue(rule.sources.is_any)
# Host doesn't exist, destinations will remain none
rule.destinations.add(Host('blah'))
rule.save()
self.assertTrue(rule.destinations.is_none)
rule.destinations.add_many([Host('boo'), engine])
rule.save()
dests = list(rule.destinations.all())
self.assertTrue(len(dests) == 2)
for x in rule.destinations.all():
self.assertIsInstance(x, Element)
self.assertIn(x.name, ['tmpfw', 'boo'])
# Test Match Expression
DomainName.create('lepages.net')
Zone.create('MyExZone')
match = MatchExpression.create(name='mymatch',
network_element=Host('boo'),
domain_name=DomainName('lepages.net'),
zone=Zone('MyExZone'))
policy.fw_ipv4_access_rules.create(name='matchex',
sources=[match],
destinations='any',
services='any')
rule = policy.search_rule('matchex')[0]
self.assertTrue(len(rule.sources.all()[0].values()) == 3)
for source in rule.sources.all():
for values in source.values():
self.assertIn(values.name, ['boo', 'lepages.net', 'MyExZone'])
# Test after and before rule position options
# Need rule tag for rule we are inserting around
rule = policy.search_rule('matchex')[0]
policy.fw_ipv4_access_rules.create(name='ruleafter', after=rule.tag)
policy.fw_ipv4_access_rules.create(name='rulebefore', before=rule.tag)
gen = policy.fw_ipv4_access_rules.all()
for x in gen:
if x.name == 'rulebefore':
break
matchex = next(gen)
ruleafter = next(gen)
self.assertEqual(matchex.name, 'matchex')
self.assertEqual(ruleafter.name, 'ruleafter')
# Add a jump rule
with self.assertRaises(MissingRequiredInput):
policy.fw_ipv4_access_rules.create(
name='jumprule',
action='jump',
sub_policy=FirewallSubPolicy('blahblah'))
FirewallSubPolicy.create('subfoo')
policy.fw_ipv4_access_rules.create(
name='jumprule',
action='jump',
sub_policy=FirewallSubPolicy('subfoo'))
rule = policy.search_rule('jumprule')[0]
self.assertEqual(rule.action.action, 'jump')
self.assertEqual(rule.action.sub_policy.href,
FirewallSubPolicy('subfoo').href)
policy.delete()
DomainName('lepages.net').delete()
Zone('MyExZone').delete()
Host('boo').delete()
time.sleep(3)
engine.delete()
def test_NATRules(self):
policy = FirewallPolicy.create(name='apitestpolicy',
template='Firewall Inspection Template')
Host.create('nathost', address='1.1.1.1')
Host.create('sourcenat', address='2.2.2.2')
engine = Layer3Firewall.create(name='natfw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
# Source NAT using port restrictions
policy.fw_ipv4_nat_rules.create(name='dynsrcnat',
sources='any',
destinations=[Host('nathost')],
services='any',
dynamic_src_nat='2.2.2.2',
dynamic_src_nat_ports=(30000, 35000))
# Dest NAT by IP
policy.fw_ipv4_nat_rules.create(name='dstnat',
sources='any',
destinations=[Host('nathost')],
services='any',
static_dst_nat='3.3.3.3')
# Destination field cannot be any or none with dest NAT
with self.assertRaises(InvalidRuleValue):
policy.fw_ipv4_nat_rules.create(name='foo',
sources='any',
destinations='any',
services='any',
static_dst_nat='3.3.3.3')
# Source and Dest NAT
policy.fw_ipv4_nat_rules.create(name='dstandsrcnat',
sources='any',
destinations=[Host('sourcenat')],
services='any',
dynamic_src_nat='5.5.5.5',
static_dst_nat='3.3.3.3',
static_dst_nat_ports=(22, 2222))
policy.fw_ipv4_nat_rules.create(name='nonatrule',
sources='any',
destinations='any',
services='any')
# Static src NAT
if is_min_required_smc_version('6.1.2'):
policy.fw_ipv4_nat_rules.create(name='static_src_nat',
sources=[Host('sourcenat')],
destinations='any',
static_src_nat='1.1.1.1')
else:
with self.assertRaises(CreateRuleFailed):
policy.fw_ipv4_nat_rules.create(name='static_src_nat',
sources=[Host('sourcenat')],
destinations='any',
static_src_nat='1.1.1.1')
# Invalid rule
with self.assertRaises(CreateRuleFailed):
policy.fw_ipv4_nat_rules.create(name='foo',
sources='any',
destinations=['any'],
services='any',
static_dst_nat='1.1.1.1')
for rule in policy.fw_ipv4_nat_rules.all():
self.assertIsInstance(rule, IPv4NATRule)
if rule.name == 'dynsrcnat':
self.assertEqual(rule.dynamic_src_nat.translated_value,
'2.2.2.2')
# Not valid for dyn src nat
self.assertIsNone(rule.dynamic_src_nat.original_value)
self.assertEqual(rule.dynamic_src_nat.translated_ports,
(30000, 35000))
elif rule.name == 'dstnat':
if is_min_required_smc_version('6.1.2'):
self.assertEqual(rule.static_dst_nat.translated_value,
'3.3.3.3')
self.assertEqual(rule.static_dst_nat.original_value,
'1.1.1.1')
else: # Version 6.1.1
self.assertEqual(rule.static_dst_nat.translated_value,
'3.3.3.3')
self.assertEqual(rule.static_dst_nat.original_value,
Host('nathost').href)
elif rule.name == 'dstandsrcnat':
self.assertEqual(rule.dynamic_src_nat.translated_ports,
(1024, 65535))
self.assertEqual(rule.dynamic_src_nat.translated_value,
'5.5.5.5')
self.assertEqual(rule.static_dst_nat.translated_value,
'3.3.3.3')
source_port, dest_port = rule.static_dst_nat.translated_ports
self.assertEqual(source_port, 22)
self.assertEqual(dest_port, 2222)
elif rule.name == 'nonatrule':
self.assertFalse(rule.static_src_nat.has_nat)
self.assertFalse(rule.dynamic_src_nat.has_nat)
self.assertFalse(rule.static_dst_nat.has_nat)
# Test unsed on attribute
self.assertIsNone(rule.used_on)
# Catch the ElementNotFound, no change
rule.used_on = Host('nonexistanthost')
self.assertIsNone(rule.used_on)
rule.used_on = engine
self.assertEqual(rule.used_on.name, 'natfw')
# IPv6 NAT
Host.create(name='myipv6',
ipv6_address='2001:0db8:85a3:0000:0000:8a2e:0370:7334')
policy.fw_ipv6_nat_rules.create(name='mynat',
sources=[Host('myipv6')],
destinations='any',
services='any',
dynamic_src_nat='2001:db8::2:1')
rule_matches = policy.search_rule('nonatrule')
self.assertIsInstance(rule_matches[0], IPv4NATRule)
no_rule_match = policy.search_rule('blahblahfoo')
self.assertTrue(len(no_rule_match) == 0)
engine.delete()
policy.delete()
Host('nathost').delete()
Host('sourcenat').delete()
Host('myipv6').delete()
Specify a policy to upload once the single FW instance has made the initial contact. This will
be queued and kick off once the contact is complete.
Generate the initial contact information for sg-reconfigure on the virtual or appliance.
"""
from smc import session
from smc.core.engines import Layer3Firewall
if __name__ == '__main__':
session.login(url='http://172.18.1.25:8082',
api_key='4366TuolHMJp3nHaUeF60001')
# Create base engine specifying management IP info and management
# interface number
engine = Layer3Firewall.create('myfirewall',
mgmt_ip='172.18.1.160',
mgmt_network='172.18.1.0/24',
mgmt_interface=0,
domain_server_address=['8.8.8.8'])
if engine:
print "Successfully created Layer 3 firewall, adding interfaces.."
# Create a new physical interface for single firewall
engine.physical_interface.add_single_node_interface(
interface_id=1, address='1.1.1.1', network_value='1.1.1.0/24')
# Create a second interface using VLANs and assign IP info
engine.physical_interface.add_vlan_to_single_node_interface(
interface_id=2,
address='2.2.2.2',
network_value='2.2.2.0/24',
def exec_module(self, **kwargs):
state = kwargs.pop('state', 'present')
for name, value in kwargs.items():
setattr(self, name, value)
changed = False
engine = self.fetch_element(Layer3Firewall)
try:
if state == 'present':
if not engine:
# Find interface designated as management
if not self.interfaces:
self.fail(
msg=
'You must define at least 1 interface when creating a NGFW'
)
# Internal Endpoints are referenced by their IP address
enable_vpn = []
mgmt_index = None
for num, value in enumerate(self.interfaces):
if 'interface_id' not in value:
self.fail(
msg=
'Interface requires at least interface_id be '
'defined.')
if value.get('type', None) == 'tunnel_interface' and \
('address' not in value or 'network_value' not in value):
self.fail(
msg=
'Missing either address or network_value for tunnel interface'
)
if str(value.get('interface_id')) == str(
self.mgmt_interface):
mgmt_index = num
vpn = value.pop('enable_vpn', None)
if vpn: # True
enable_vpn.append(value['address'])
if mgmt_index is None:
self.fail(
msg=
'Management interface definition not found in interfaces. '
'Management interface specified: {}'.format(
self.mgmt_interface))
if self.check_mode:
return self.results
mgmt = self.interfaces.pop(mgmt_index)
engine = Layer3Firewall.create(
name=self.name,
mgmt_ip=mgmt.get('address'),
mgmt_network=mgmt.get('network_value'),
mgmt_interface=self.mgmt_interface,
log_server_ref=self.log_server,
default_nat=self.default_nat,
domain_server_address=self.domain_server_address,
enable_antivirus=self.enable_antivirus,
enable_gti=self.enable_gti,
location_ref=self.location,
enable_ospf=self.enable_ospf,
sidewinder_proxy_enabled=self.enable_sidewinder_proxy,
ospf_profile=None,
interfaces=self.interfaces)
if enable_vpn:
for internal_gw in engine.vpn_endpoint:
if internal_gw.name in enable_vpn:
internal_gw.update(enabled=True)
if self.tags:
if self.add_tags(engine, self.tags):
changed = True
changed = True
else: # Engine exists, check for modifications
# Start with engine properties..
status = engine.default_nat.status
if self.default_nat:
if not status:
engine.default_nat.enable()
changed = True
else: # False or None
if status:
engine.default_nat.disable()
changed = True
status = engine.antivirus.status
if self.enable_antivirus:
if not status:
engine.antivirus.enable()
changed = True
else:
if status:
engine.antivirus.disable()
changed = True
dns = [d.value for d in engine.dns]
missing = [
entry for entry in self.domain_server_address
if entry not in dns
]
# Remove unneeded
unneeded = [
entry for entry in dns
if entry not in self.domain_server_address
if entry is not None
]
if missing:
engine.dns.add(missing)
changed = True
if unneeded:
engine.dns.remove(unneeded)
changed = True
if self.check_mode:
return self.results
# Update checkpoint. Adding and removing interfaces will
# already automatically update the engine.
if changed:
engine.update()
# Interfaces to enable VPN
enable_vpn = {}
# Iterate the interfaces. Add interfaces that do not exist.
# Then remove interfaces that are not defined in the
# playbook yml.
for interface in self.interfaces:
interface_id = interface['interface_id']
try:
itf = engine.interface.get(interface_id)
# If this interface does not have IP addresses assigned,
# then assign. It is not currently possible to unassign
# addresses. Instead, delete the interface
if 'address' in interface and 'network_value' in interface:
if 'enable_vpn' in interface:
enable_vpn[interface.get(
'address')] = interface.pop(
'enable_vpn')
addresses = itf.addresses
if not addresses:
engine.physical_interface.add_layer3_interface(
**interface)
changed = True
else:
# Has addresses, change if different
for sub in itf.interfaces:
if sub.address != interface['address']:
itf.change_single_ipaddress(
address=interface['address'],
network_value=interface[
'network_value'])
changed = True
except InterfaceNotFound:
if 'address' in interface and 'network_value' in interface:
if interface.get('type',
None) == 'tunnel_interface':
engine.tunnel_interface.add_single_node_interface(
tunnel_id=interface_id,
address=interface['address'],
network_value=interface[
'network_value'],
zone_ref=interface.get(
'zone_ref', None))
changed = True
else:
if 'enable_vpn' in interface:
enable_vpn[interface.get(
'address')] = interface.pop(
'enable_vpn')
engine.physical_interface.add_layer3_interface(
**interface)
changed = True
else:
# Interface with no addresses, ignore enable_vpn
engine.physical_interface.add(
interface_id,
zone_ref=interface.get('zone_ref', None))
changed = True
# Check the VPN settings for the interfaces. If you want
# to explicitly disable VPN, set enable_vpn: False in the
# playbook
for vpn in engine.vpn_endpoint:
if vpn.name in enable_vpn:
#self.fail(msg="VPN name in: %s" % vpn.name)
if not vpn.enabled and enable_vpn.get(vpn.name):
vpn.update(enabled=True)
changed = True
elif vpn.enabled and not enable_vpn.get(vpn.name):
vpn.update(enabled=False)
changed = True
if self.tags:
if self.add_tags(engine, self.tags):
changed = True
else:
if self.clear_tags(engine):
changed = True
self.results.update(state=engine.data, changed=changed)
elif state == 'absent':
if engine:
engine.delete()
changed = True
except SMCException as err:
self.fail(msg=str(err), exception=traceback.format_exc())
self.results['changed'] = changed
return self.results
Specify a policy to upload once the single FW instance has made the initial contact. This will
be queued and kick off once the contact is complete.
Generate the initial contact information for sg-reconfigure on the virtual or appliance.
"""
from smc import session
from smc.core.engines import Layer3Firewall
if __name__ == '__main__':
session.login(url='http://172.18.1.25:8082',
api_key='4366TuolHMJp3nHaUeF60001')
# Create base engine specifying management IP info and management
# interface number
engine = Layer3Firewall.create('myfirewall',
mgmt_ip='172.18.1.160',
mgmt_network='172.18.1.0/24',
mgmt_interface=0,
domain_server_address=['8.8.8.8'])
if engine:
print "Successfully created Layer 3 firewall, adding interfaces.."
# Create a new physical interface for single firewall
engine.physical_interface.add_single_node_interface(interface_id=1,
address='1.1.1.1',
network_value='1.1.1.0/24')
# Create a second interface using VLANs and assign IP info
engine.physical_interface.add_vlan_to_single_node_interface(interface_id=2,
address='2.2.2.2',
network_value='2.2.2.0/24',
Interface 0
"""
for profile in describe_ospfv2_interface_settings():
if profile.name.startswith('Default OSPF'):
profile_ref = profile.href
area = OSPFArea.create(name='area0',
interface_settings_ref=profile_ref,
area_id=0)
area = OSPFArea('area0') # obtain resource
# Create layer 3 firewall and enable OSPF, using the default system
# OSPFProfile
engine = Layer3Firewall.create(name='ospf-fw',
mgmt_ip='172.18.1.30',
mgmt_network='172.18.1.0/24',
domain_server_address=['8.8.8.8'],
enable_ospf=True)
# Get routing resources for this newly created engine
for interface in engine.routing.all():
if interface.name == 'Interface 0':
# Apply OSPF 'area0' to interface 0
result = interface.add_ospf_area(area)
if result.href:
print "Success!"
else:
print "Failed with message: %s" % result.msg
session.logout()
def test_layer3_engine_methods(self):
# Test each of the top level engine methods
engine = Layer3Firewall.create(name='smcpython-fw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
self.assertIsInstance(engine, Engine)
if session.api_version >= 6.1:
test = Engine('smcpython-fw')
self.assertTrue(test.type == 'single_fw')
self.assertTrue(test.href.startswith('http'))
self.assertTrue(test.version is None)
self.assertTrue(isinstance(test.nodes, list))
# Modify an attribute, i.e. antivirus:
self.assertTrue(
engine.modify_attribute(
antivirus={
'antivirus_enabled': False,
'antivirus_update': 'daily',
'antivirus_update_day': 'mo',
'antivirus_update_time': 21600000,
'virus_log_level': 'none',
'virus_mirror': 'update.nai.com/Products/CommonUpdater'
}).startswith('http'))
# Test Fail load using wildcard
Host.create('testengine', '1.1.1.1')
Host.create('testengine2', '2.2.2.2')
with self.assertRaises(ElementNotFound):
foo = Engine('testengine*')
foo.href
Host('testengine').delete()
Host('testengine2').delete()
# Engine type
self.assertEqual(engine.type, 'single_fw')
# Get the node type
self.assertEqual(engine.nodes[0].type, 'firewall_node')
# Iterate nodes
for node in engine.nodes:
self.assertIsInstance(repr(node), str)
self.assertIsInstance(node, Node)
# Get permissions, only for SMC API >- 6.1
if session.api_version >= 6.1:
for x in engine.permissions:
self.assertIsInstance(x, AccessControlList)
else:
self.assertRaises(UnsupportedEngineFeature,
lambda: engine.permissions())
# Get aliases
aliases = engine.alias_resolving()
for alias in aliases:
self.assertIsInstance(alias, Alias)
self.assertIsNotNone(alias.name)
self.assertTrue(alias.href.startswith('http'))
self.assertIsInstance(alias.resolved_value, list)
# Resolve the IP address alias for this engine
alias = Alias('$$ Interface ID 0.ip')
self.assertIn('1.1.1.1', alias.resolve('smcpython-fw'))
# Blacklist, will fail as engine is not live or connected to SMC
self.assertRaises(EngineCommandFailed,
lambda: engine.blacklist('1.1.1.1/32', '0.0.0.0/0'))
# Blacklist flush, same as above
self.assertRaises(EngineCommandFailed,
lambda: engine.blacklist_flush())
# Add route, valid
result = engine.add_route('1.1.1.254', '192.168.1.0/24')
self.assertIsNone(result)
# Add route, invalid, msg attribute set
self.assertRaises(EngineCommandFailed,
lambda: engine.add_route('2.2.2.2', '10.10.10.0/22'))
# Get routes, will catch SMCConnectionException because the engine doesnt
# exist and will be unresponsive. It should catch and return empty list
# A response is sent back in 6.1.2, but should be none
if is_min_required_smc_version('6.1.2'):
self.assertRaises(EngineCommandFailed,
lambda: engine.routing_monitoring)
else: # Timeout in version 6.1.1 or earlier
self.assertRaises(EngineCommandFailed,
lambda: engine.routing_monitoring)
# Get antispoofing info
Network.create(name='network-10.1.2.0/24', ipv4_network='10.1.2.0/24')
spoofing = engine.antispoofing
self.assertIsInstance(spoofing, Antispoofing)
for entry in engine.antispoofing.all():
if entry.name == 'Interface 0':
self.assertEqual(entry.level, 'interface')
self.assertEqual(entry.validity, 'enable')
entry.add(Network('network-10.1.2.0/24'))
# Look for our network
for entry in engine.antispoofing.all():
if entry.name == 'Interface 0':
for network in entry.all():
if network.name == 'network-10.1.2.0/24':
self.assertEqual(network.ip, '10.1.2.0/24')
self.assertTrue(
engine.internal_gateway.name.startswith('smcpython-fw'))
# Get internal gateway
for gw in engine.internal_gateway.internal_endpoint.all():
self.assertEqual(gw.name, '1.1.1.1') # matches interface IP
# Get vpn sites
for sites in engine.internal_gateway.vpn_site.all():
self.assertTrue(
sites.name.startswith('Automatic Site for smcpython-fw'))
# Gen certificate for internal gateway, fail because engine can't gen
# cert
v = VPNCertificate('myorg', 'foo.org')
self.assertRaises(
CertificateError,
lambda: engine.internal_gateway.generate_certificate(v))
# Gateway certificate request, not implemented as of 0.3.7
self.assertTrue(
len(engine.internal_gateway.gateway_certificate()) == 0)
# Gateway certificate, not implemented as of 0.3.7
self.assertTrue(
len(engine.internal_gateway.gateway_certificate_request()) == 0)
# Get a virtual resource on non supported device type
self.assertRaises(UnsupportedEngineFeature,
lambda: engine.virtual_resource)
# Get interfaces
for intf in engine.interface.all():
self.assertEqual(intf.name, 'Interface 0')
# Get virtual physical interface, not supported on layer 3 engine
self.assertRaises(UnsupportedInterfaceType,
lambda: engine.virtual_physical_interface)
# Get modem interfaces
self.assertTrue(len(engine.modem_interface) == 0)
# Get adsl interfaces
self.assertTrue(len(engine.adsl_interface) == 0)
# Get wireless interface
self.assertTrue(len(engine.wireless_interface) == 0)
# Get switch interface
self.assertTrue(len(engine.switch_physical_interface) == 0)
# Get tunnel interfaces
engine.tunnel_interface.add_single_node_interface(
tunnel_id=1000, address='2.2.2.2', network_value='2.2.2.0/24')
intf = engine.interface.get(1000)
self.assertIsInstance(intf, TunnelInterface)
# Query tunnel interfaces
for intf in engine.tunnel_interface.all():
self.assertEqual(intf.name, 'Tunnel Interface 1000')
# Refresh policy, fails as engine not ready
self.assertRaises(TaskRunFailed, lambda: engine.refresh())
# Upload, policy doesn't exist
self.assertRaises(TaskRunFailed, lambda: engine.upload(policy='foo'))
# Generate snapshot #TODO: Bug
with self.assertRaises(EngineCommandFailed):
engine.generate_snapshot()
# See snapshots. Policy hasnt been pushed yet so they wont exist
self.assertTrue(len(list(engine.snapshots)) == 0)
# Delete
engine.delete()
Network('network-10.1.2.0/24').delete()
def test_add_VPN_external_and_satellite_gw(self):
firewall_central = Layer3Firewall.create('centralfw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
self.assertIsInstance(firewall_central, Engine)
firewall_satellite = Layer3Firewall.create('satellitefw',
mgmt_ip='2.2.2.2',
mgmt_network='2.2.2.0/24')
self.assertIsInstance(firewall_satellite, Engine)
policy = VPNPolicy.create(name='tmptestvpn')
self.assertIsInstance(policy, VPNPolicy)
self.assertTrue(
VPNPolicy.add_internal_gateway_to_vpn(
firewall_central.internal_gateway.href,
vpn_policy='tmptestvpn',
vpn_role='central'))
self.assertTrue(
VPNPolicy.add_internal_gateway_to_vpn(
firewall_satellite.internal_gateway.href,
vpn_policy='tmptestvpn',
vpn_role='satellite'))
# Invalid vpn policy
self.assertFalse(
VPNPolicy.add_internal_gateway_to_vpn(
firewall_central.internal_gateway.href, vpn_policy='foobar'))
with self.assertRaises(PolicyCommandFailed):
policy.close()
policy.open()
for gw in policy.central_gateway_node.all():
self.assertFalse(list(gw.disabled_sites))
for site in list(gw.enabled_sites):
self.assertTrue('centralfw' in site.name)
site.enable_disable()
for site in list(gw.disabled_sites):
self.assertTrue('centralfw' in site.name)
site.enable_disable()
for site in list(gw.enabled_sites):
self.assertTrue('centralfw' in site.name)
# Test the nodes
for gw in policy.central_gateway_node.all():
self.assertIsInstance(gw, GatewayNode)
self.assertTrue(gw.name.startswith('centralfw'))
central_site = list(gw.enabled_sites)
self.assertIsInstance(central_site[0], GatewayTreeNode)
self.assertFalse(list(gw.disabled_sites))
gw.delete()
for gw in policy.satellite_gateway_node.all():
self.assertIsInstance(gw, GatewayNode)
self.assertTrue(gw.name.startswith('satellitefw'))
gw.delete()
for mobilegw in policy.mobile_gateway_node.all():
self.assertIsInstance(mobilegw, GatewayNode)
self.assertIsNotNone(policy.validate()) # Already deleted gw's
self.assertIsInstance(policy.gateway_tunnel(), list)
policy.save()
policy.close()
# Delete VPN
policy.delete()
# Delete FW's
firewall_central.delete()
firewall_satellite.delete()
create a layer 3 firewall, enabling OSPF and applying the OSPF Area to
Interface 0
"""
for profile in describe_ospfv2_interface_settings():
if profile.name.startswith('Default OSPF'):
profile_ref = profile.href
area = OSPFArea.create(name='area0',
interface_settings_ref=profile_ref,
area_id=0)
area = OSPFArea('area0') #obtain resource
#Create layer 3 firewall and enable OSPF, using the default system
#OSPFProfile
engine = Layer3Firewall.create(name='ospf-fw',
mgmt_ip='172.18.1.30',
mgmt_network='172.18.1.0/24',
domain_server_address=['8.8.8.8'],
enable_ospf=True)
#Get routing resources for this newly created engine
for interface in engine.routing.all():
if interface.name == 'Interface 0':
result = interface.add_ospf_area(
area) #Apply OSPF 'area0' to interface 0
if result.href:
print "Success!"
else:
print "Failed with message: %s" % result.msg
session.logout()
def test_create_engine_add_bgp_peering(self):
engine = Layer3Firewall.create(name='myfw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
engine.physical_interface.add_single_node_interface(
interface_id=0, address='5.5.5.5', network_value='5.5.5.0/24')
Network.create(name='bgpnet', ipv4_network='2.2.2.0/24')
AutonomousSystem.create(name='aws_as', as_number=20000)
engine.enable_bgp(autonomous_system=AutonomousSystem('aws_as'),
announced_networks=[Network('bgpnet')])
BGPPeering.create(name='mypeer')
ExternalBGPPeer.create(name='neighbor',
neighbor_as_ref=AutonomousSystem('aws_as'),
neighbor_ip='3.3.3.3')
# Only add to a single network
for route in engine.routing.all():
if route.nicid == '0':
route.add_bgp_peering(BGPPeering('mypeer'),
ExternalBGPPeer('neighbor'),
network='5.5.5.0/24')
# Traverse the nested routing tree..
for route in engine.routing.all():
if route.nicid == '0':
for bgp_peering in route.all():
if bgp_peering.ip == '5.5.5.0/24':
for peering in bgp_peering.all(): # BGPPeering
self.assertEqual(peering.name, 'mypeer')
for external_peer in peering.all(
): # ExternalBGPPeer
self.assertEqual(external_peer.name,
'neighbor')
engine.delete()
# Add BGP to all interfaces
engine = Layer3Firewall.create(name='myfw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
engine.physical_interface.add_single_node_interface(
interface_id=0, address='5.5.5.5', network_value='5.5.5.0/24')
# Only add to a single network
interface = engine.routing.get(0)
# for route in engine.routing.all():
# if route.nicid == '0':
interface.add_bgp_peering(BGPPeering('mypeer'),
ExternalBGPPeer('neighbor'))
for route in engine.routing.all():
if route.nicid == '0':
for bgp_peering in route.all():
for peering in bgp_peering.all():
self.assertEqual(peering.name, 'mypeer') # BGPPeering
for external_peer in peering.all():
# ExternalBGPPeer
self.assertEqual(external_peer.name, 'neighbor')
engine.delete()
