def test_firewall_address(self): cmd = cli_converter.convert_command('firewall_address.txt', 'C:/BulkChanger/input') self.assertEqual( cmd[0].body, '{"name":"ffn-support-i1","subnet":"193.104.116.2 255.255.255.255"}' ) self.assertEqual(cmd[0].action, 'edit') self.assertEqual(cmd[0].name, 'ffn-support-i1') self.assertEqual(cmd[0].path, 'firewall/address') self.assertEqual( cmd[1].body, '{"name":"net_sslvpn","associated-interface":"ssl.root",' '"subnet":"10.254.254.0 255.255.255.0"}') self.assertEqual(cmd[1].action, 'edit') self.assertEqual(cmd[1].name, 'net_sslvpn') self.assertEqual(cmd[1].path, 'firewall/address') self.assertEqual( cmd[2].body, '{"name":"grp_ffn-support","member":[{"name":"ffn-support-i1"},' '{"name":"ffn-support-i4"},{"name":"fqdn_gway.firstframe.net"},' '{"name":"fqdn_surfgate.firstframe.net"},' '{"name":"fqdn_manager.firstframe.net"}]}') self.assertEqual(cmd[2].action, 'edit') self.assertEqual(cmd[2].name, 'grp_ffn-support') self.assertEqual(cmd[2].path, 'firewall/addrgrp')
def test_proxy_options(self): cmd = cli_converter.convert_command('proxy_options.txt', 'C:/BulkChanger/input') self.assertEqual( cmd[0].body, '{"name":"po_standard","http":{"ports":"80","options":"clientcomfort",' '"comfort-interval":"1","comfort-amount":"1024","post-lang":null},' '"ftp":{"ports":"21","options":"clientcomfort","comfort-interval":"1",' '"comfort-amount":"1024"},"imap":{"ports":"143","options":null},' '"mapi":{"ports":"135","options":null},"pop3":{"ports":"110","options":null},' '"smtp":{"ports":"25","options":null},"nntp":{"ports":"119","options":null},' '"im":{"options":null},"dns":{"ports":"53"}}') self.assertEqual(cmd[0].action, 'edit') self.assertEqual(cmd[0].name, 'po_standard') self.assertEqual(cmd[0].path, 'firewall/profile-protocol-options') self.assertEqual( cmd[1].body, '{"name":"po_standard","http":{"ports":"80","options":"clientcomfort",' '"comfort-interval":"1","comfort-amount":"1024","post-lang":null},' '"ftp":{"ports":"21","options":"clientcomfort","comfort-interval":"1",' '"comfort-amount":"1024"},"imap":{"ports":"143","options":null},' '"mapi":{"ports":"135","options":null},"pop3":{"ports":"110","options":null},' '"smtp":{"ports":"25","options":null},"nntp":{"ports":"119","options":null},' '"im":{"options":null},"dns":{"ports":"53"}}') self.assertEqual(cmd[1].action, 'edit') self.assertEqual(cmd[1].name, 'po_standard') self.assertEqual(cmd[1].path, 'firewall/profile-protocol-options')
def test_delete_command(self): cmd = cli_converter.convert_command('delete.txt', 'C:/BulkChanger/input') self.assertEqual(cmd[0].body, '') self.assertEqual(cmd[0].action, 'delete') self.assertEqual(cmd[0].name, '1') self.assertEqual(cmd[0].path, 'firewall/policy')
def test_local_in_policy(self): cmd = cli_converter.convert_command('local_in_policy.txt', 'C:/BulkChanger/input') self.assertEqual( cmd[0].body, '{"intf":"internet","srcaddr":[{"name":"all"}],' '"dstaddr":[{"name":"all"}],"action":"accept","service":[{"name":"PING"},' '{"name":"IKE"},{"name":"ESP"},{"name":"HTTPS"},{"name":"fortisslvpn"}],' '"schedule":"always"}') self.assertEqual(cmd[0].action, 'edit') self.assertEqual(cmd[0].name, '0') self.assertEqual(cmd[0].path, 'firewall/local-in-policy') self.assertEqual( cmd[1].body, '{"intf":"internet","srcaddr":[{"name":"grp_ffn-support"},' '{"name":"grp_forti-support"}],"dstaddr":[{"name":"all"}],"action":"accept",' '"service":[{"name":"SSH"},{"name":"fortiadmin"},{"name":"ALL_ICMP"}],' '"schedule":"always"}') self.assertEqual(cmd[1].action, 'edit') self.assertEqual(cmd[1].name, '0') self.assertEqual(cmd[1].path, 'firewall/local-in-policy') self.assertEqual( cmd[2].body, '{"intf":"internet","srcaddr":[{"name":"all"}],' '"dstaddr":[{"name":"all"}],"service":[{"name":"ALL"}],"schedule":"always"}' ) self.assertEqual(cmd[2].action, 'edit') self.assertEqual(cmd[2].name, '0') self.assertEqual(cmd[2].path, 'firewall/local-in-policy')
def test_ssl_vpn(self): cmd = cli_converter.convert_command('ssl_vpn.txt', 'C:/BulkChanger/input') self.assertEqual(cmd[0].body, '') self.assertEqual(cmd[0].action, 'delete') self.assertEqual(cmd[0].name, 'full-access') self.assertEqual(cmd[0].path, 'vpn.ssl.web/portal') self.assertEqual(cmd[1].body, '') self.assertEqual(cmd[1].action, 'delete') self.assertEqual(cmd[1].name, 'tunnel-access') self.assertEqual(cmd[1].path, 'vpn.ssl.web/portal') self.assertEqual(cmd[2].body, '') self.assertEqual(cmd[2].action, 'delete') self.assertEqual(cmd[2].name, 'web-access') self.assertEqual(cmd[2].path, 'vpn.ssl.web/portal') self.assertEqual( cmd[3].body, '{"name":"none","web-mode":"enable","limit-user-logins":"enable",' '"user-bookmark":"disable","display-connection-tools":"disable",' '"display-history":"disable","display-status":"disable",' '"heading":"SSL-VPN Dummypage"}') self.assertEqual(cmd[3].action, 'edit') self.assertEqual(cmd[3].name, 'none') self.assertEqual(cmd[3].path, 'vpn.ssl.web/portal') self.assertEqual( cmd[4].body, '{"sslv3":"disable","servercert":"Fortinet_Factory","algorithm":"high",' '"idle-timeout":"3600","auth-timeout":"43200",' '"tunnel-ip-pools":[{"name":"net_sslvpn"}],"port":"443",' '"source-interface":[{"name":"internet"}],"source-address":[{"name":"all"}],' '"source-address6":[{"name":"all"}],"default-portal":"none"}') self.assertEqual(cmd[4].action, '') self.assertEqual(cmd[4].name, '') self.assertEqual(cmd[4].path, 'vpn.ssl/settings')
def test_device_settings(self): cmd = cli_converter.convert_command('device_settings.txt', 'C:/BulkChanger/input') self.assertEqual(cmd[0].body, '{"admin-sport":"8443","admintimeout":"240"}') self.assertEqual(cmd[0].action, '') self.assertEqual(cmd[0].name, '') self.assertEqual(cmd[0].path, 'system/global')
def test_interface_zone(self): cmd = cli_converter.convert_command('interface_zone.txt', 'C:/BulkChanger/input') self.assertEqual( cmd[0].body, '{"name":"internet","interface":[{"interface-name":"wan1"},{"interface-name":"wan2"}]}' ) self.assertEqual(cmd[0].action, 'edit') self.assertEqual(cmd[0].name, 'internet') self.assertEqual(cmd[0].path, 'system/zone')
def test_antivirus_profile(self): cmd = cli_converter.convert_command('antivirus_profile.txt', 'C:/BulkChanger/input') self.assertEqual( cmd[0].body, '{"name":"av_standard","inspection-mode":"proxy","http":{"options":"scan"},' '"ftp":{"options":"scan"},"imap":{"options":"scan"},"pop3":{"options":"scan"},' '"smtp":{"options":"scan"},"mapi":{"options":"scan"}}') self.assertEqual(cmd[0].action, 'edit') self.assertEqual(cmd[0].name, 'av_standard') self.assertEqual(cmd[0].path, 'antivirus/profile')
def test_rename(self): cmd = cli_converter.convert_command('rename.txt', 'C:/BulkChanger/input') self.assertEqual(cmd[0].body, '{"desc":"allow"}') self.assertEqual(cmd[0].action, 'rename') self.assertEqual(cmd[0].name, 'allow') self.assertEqual(cmd[0].path, 'webfilter/ftgd-local-cat/custom1') self.assertEqual(cmd[1].body, '{"desc":"block"}') self.assertEqual(cmd[1].action, 'rename') self.assertEqual(cmd[1].name, 'block') self.assertEqual(cmd[1].path, 'webfilter/ftgd-local-cat/custom2')
def test_firewall_policy(self): cmd = cli_converter.convert_command('firewall_policy.txt', 'C:/BulkChanger/input') self.assertEqual( cmd[0].body, '{"srcintf":[{"name":"internal"}],"dstintf":[{"name":"internet"}],' '"srcaddr":[{"name":"all"}],"dstaddr":[{"name":"all"}],"action":"accept","schedule":"always",' '"service":[{"name":"ALL"}],"logtraffic":"all","comments":"fge test","nat":"enable"}' ) self.assertEqual(cmd[0].action, 'edit') self.assertEqual(cmd[0].name, '0') self.assertEqual(cmd[0].path, 'firewall/policy')
def test_app_conrol(self): cmd = cli_converter.convert_command('app_control.txt', 'C:/BulkChanger/input') self.assertEqual( cmd[0].body, '{"name":"ac_standard","other-application-log":"enable","unknown-application-log":"enable",' '"entries":[{"category":[{"id":"6"},{"id":"19"}]},{"category":[{"id":"2"},{"id":"3"},' '{"id":"5"},{"id":"7"},{"id":"8"},{"id":"12"},{"id":"15"},{"id":"17"},{"id":"21"},' '{"id":"22"},{"id":"23"},{"id":"25"},{"id":"26"},{"id":"28"},{"id":"29"},{"id":"30"},' '{"id":"31"}],"action":"pass"}]}') self.assertEqual(cmd[0].action, 'edit') self.assertEqual(cmd[0].name, 'ac_standard') self.assertEqual(cmd[0].path, 'application/list')
def test_policy_settings(self): cmd = cli_converter.convert_command('policy_settings.txt', 'C:/BulkChanger/input') self.assertEqual( cmd[0].body, '{"name":"dpo","accprofile":"super_admin","vdom":"root","password":'******'"ENC AK16D3CKqjt+2aM/xf2ieZJcDoFdx2MhS5TxQWngTJi61s="}') self.assertEqual(cmd[0].action, 'edit') self.assertEqual(cmd[0].name, 'dpo') self.assertEqual(cmd[0].path, 'system/admin') self.assertEqual( cmd[1].body, '{"name":"dgu","accprofile":"super_admin","vdom":"root","password":'******'"ENC AK1P+a8jSjvASnxe4qTPCFGtCkpZYhdUJDWC1IzLHQVRe0="}') self.assertEqual(cmd[1].action, 'edit') self.assertEqual(cmd[1].name, 'dgu') self.assertEqual(cmd[1].path, 'system/admin')
def test_ips_sensor(self): cmd = cli_converter.convert_command('ips_sensor.txt', 'C:/BulkChanger/input') self.assertEqual( cmd[0].body, '{"name":"ips_outgoing","entries":[{"location":"client ","severity":"critical ",' '"os":"Other Windows Linux MacOS ","status":"enable","log-packet":"enable","action":"block"},' '{"location":"client ","severity":"high ","os":"Other Windows Linux MacOS "}]}' ) self.assertEqual(cmd[0].action, 'edit') self.assertEqual(cmd[0].name, 'ips_outgoing') self.assertEqual(cmd[0].path, 'ips/sensor') self.assertEqual( cmd[1].body, '{"name":"ips_incoming","entries":[{"location":"server ","severity":"critical ",' '"os":"Other Windows Linux ","status":"enable","log-packet":"enable","action":"block"},' '{"location":"server ","severity":"high ","os":"Other Windows Linux "}]}' ) self.assertEqual(cmd[1].action, 'edit') self.assertEqual(cmd[1].name, 'ips_incoming') self.assertEqual(cmd[1].path, 'ips/sensor')
def test_firewall_service(self): cmd = cli_converter.convert_command('firewall_service.txt', 'C:/BulkChanger/input') self.assertEqual( cmd[0].body, '{"name":"fortimanager","category":"Remote Access","tcp-portrange":"541"}' ) self.assertEqual(cmd[0].action, 'edit') self.assertEqual(cmd[0].name, 'fortimanager') self.assertEqual(cmd[0].path, 'firewall.service/custom') self.assertEqual(cmd[1].body, '{"name":"fortiadmin","tcp-portrange":"8443"}') self.assertEqual(cmd[1].action, 'edit') self.assertEqual(cmd[1].name, 'fortiadmin') self.assertEqual(cmd[1].path, 'firewall.service/custom') self.assertEqual( cmd[2].body, '{"name":"guest-services","member":[{"name":"HTTP"},{"name":"HTTPS"},' '{"name":"IMAP"},{"name":"IMAPS"},{"name":"POP3"},{"name":"POP3S"},' '{"name":"SMTP"},{"name":"SMTPS"},{"name":"FTP"},{"name":"PING"},' '{"name":"DNS"}]}') self.assertEqual(cmd[2].action, 'edit') self.assertEqual(cmd[2].name, 'guest-services') self.assertEqual(cmd[2].path, 'firewall.service/group')
def test_webfilter_profile(self): cmd = cli_converter.convert_command('webfilter_profile.txt', 'C:/BulkChanger/input') self.assertEqual( cmd[0].body, '{"name":"wf_standard","override":{"ovrd-user-group":""},' '"web":{"log-search":"enable"},' '"ftgd-wf":{"options":"http-err-detail redir-block",' '"category-override":"140 141","filters":[{"id":"1","category":"26",' '"action":"block"},{"id":"2","category":"61","action":"block"},' '{"id":"3","category":"86","action":"block"},{"id":"4","category":"88",' '"action":"block"},{"id":"7","action":"block"},{"id":"6","category":"89"},' '{"id":"8","category":"140"},{"id":"9","category":"141","action":"block"}]},' '"comment":null,"log-all-url":null,"web-content-log":null,' '"web-filter-activex-log":null,"web-filter-command-block-log":null,' '"web-filter-cookie-log":null,"web-filter-applet-log":null,' '"web-filter-jscript-log":null,"web-filter-js-log":null,' '"web-filter-vbs-log":null,"web-filter-unknown-log":null,' '"web-filter-referer-log":null,"web-filter-cookie-removal-log":null,' '"web-url-log":null,"web-invalid-domain-log":null,"web-ftgd-err-log":null,' '"web-ftgd-quota-usage":null}') self.assertEqual(cmd[0].action, 'edit') self.assertEqual(cmd[0].name, 'wf_standard') self.assertEqual(cmd[0].path, 'webfilter/profile')
def start_bulk(self): # LOG FILE if getattr(sys, 'frozen', False): log_path = os.path.join( os.path.abspath(os.path.dirname(sys.executable)), 'bulkchanger.log') else: log_path = os.path.join(os.path.abspath(os.path.dirname(__file__)), 'bulkchanger.log') if not os.path.isfile(log_path): temp_file = open(log_path, 'w+') temp_file.close() logging.basicConfig(filemode='w', filename=log_path, level=logging.INFO, format='%(asctime)s %(levelname)s %(message)s', datefmt='%Y-%m-%d %H:%M:%S') if Config().log_level.upper() == 'DEBUG': logging.getLogger().setLevel(logging.DEBUG) # CREDENTIALS if not ((Config().firewall_user == '') or (Config().firewall_password == '')): self.firewall_user = Config().firewall_user self.firewall_password = Config().firewall_password if not ((Config().sslvpn_user == '') or (Config().sslvpn_password == '')): self.sslvpn_user = Config().sslvpn_user self.sslvpn_password = Config().sslvpn_password # GET COMMANDS if getattr(sys, 'frozen', False): input_file_path = os.path.abspath(os.path.dirname(sys.executable)) else: input_file_path = os.path.join( os.path.abspath(os.path.dirname(__file__)), 'input') cmd = cli_converter.convert_command('input.txt', input_file_path) if not cmd: self.exception_callback('command line input') self.stop() cli_converter.marshalling(cmd) # START EXECUTION self.device.session = Session() bodyhash = { 'username': self.firewall_user, 'secretkey': self.firewall_password } try: self.device.session.post('https://' + self.device.ip + ':' + self.device.port + '/logincheck', data=bodyhash, verify=False, timeout=self.device.timeout) except RequestException: self.append_callback('red', self.device.customer) print('execption during login') return for cookie in self.device.session.cookies: try: if cookie.name == 'ccsrftoken': csrftoken = cookie.value[1:-1] self.device.session.headers.update( {'X-CSRFTOKEN': csrftoken}) except: self.append_callback('red', self.device.customer) print('error with cookie') return executor.perform_backup(self.device, 'before') executor.run_command(self.device, cmd) executor.perform_backup(self.device, 'after') self.device.session.post('https://' + self.device.ip + ':' + self.device.port + '/logout') self.append_callback('green', self.device.customer) program = 'C:/Program Files (x86)/Notepad++/plugins/ComparePlugin/compare.exe' file1 = Config().backup_folder + '/' + 'before.conf' file2 = Config().backup_folder + '/' + 'after.conf' subprocess.Popen([program, file1, file2], shell=True)
def start_bulk(self): # VARIABLES # devices = [] failed_devices = [] skipped_devices = [] success_devices = [] duplicates = 0 # cmd = [] # sslvpn_user = None # sslvpn_password = None sslconnected = False # LOG FILE # REMOVE LOGGING HANDLERS for handler in logging.root.handlers[:]: logging.root.removeHandler(handler) if getattr(sys, 'frozen', False): log_path = os.path.join( os.path.abspath(os.path.dirname(sys.executable)), 'bulkchanger.log') else: log_path = os.path.join(os.path.abspath(os.path.dirname(__file__)), 'bulkchanger.log') if not os.path.isfile(log_path): temp_file = open(log_path, 'w+') temp_file.close() logging.basicConfig(filemode='w', filename=log_path, level=logging.INFO, format='%(asctime)s %(levelname)s %(message)s', datefmt='%Y-%m-%d %H:%M:%S') if Config().log_level.upper() == 'DEBUG': logging.getLogger().setLevel(logging.DEBUG) # CREDENTIALS if not ((Config().firewall_user == '') or (Config().firewall_password == '')): self.firewall_user = Config().firewall_user self.firewall_password = Config().firewall_password if not ((Config().sslvpn_user == '') or (Config().sslvpn_password == '')): self.sslvpn_user = Config().sslvpn_user self.sslvpn_password = Config().sslvpn_password # GET FIREWALL LIST devices = customers.collect_firewalls() if not devices: logging.error('devices: no firewalls found, abort execution') self.exception_callback('devices') self.stop() # COLLECT SSL VPN PROFILES: sslprofile = sslvpn.collect() if not sslprofile: logging.error('sslvpn: no profiles found, abort execution') self.exception_callback('ssl vpn profile') self.stop() # GET COMMANDS if getattr(sys, 'frozen', False): input_file_path = os.path.abspath(os.path.dirname(sys.executable)) else: input_file_path = os.path.join( os.path.abspath(os.path.dirname(__file__)), 'input') cmd = cli_converter.convert_command('input.txt', input_file_path) if not cmd: self.exception_callback('command line input') self.stop() cli_converter.marshalling(cmd) # print_cmd(cmd) # exit() # START EXECUTION for device in devices: if not self.runs: break self.status_callback(len(devices), len(success_devices), len(failed_devices), len(skipped_devices), duplicates) logging.info( '******************************************************************' ) logging.info('IP: ' + device.ip + '\t Port:' + device.port + '\t Customer: ' + device.customer) if device.check_ip(): # check if local device if device.ping(): index = sslvpn.match(device.customer, sslprofile) if index == -1: logging.warning( 'sslvpn: found no matching ssl profile') failed_devices.append(device) device.reason = 'private ip and no sslvpn profile' self.append_callback('red', device.customer) continue if not sslvpn.connect( sslprofile[index].ip, sslprofile[index].port, self.sslvpn_user, self.sslvpn_password): self.exception_callback('sslvpn connect') self.stop() if device.ping(): # try to login anyway device.login(self.firewall_user, self.firewall_password) if not device.connected: logging.warning('ping: device is offline, skip device') failed_devices.append(device) device.reason = 'no ping response' self.append_callback('red', device.customer) continue logging.debug('ping: device is online') device.login(self.firewall_user, self.firewall_password) if not device.connected: device.reason = 'wrong username or password' elif device.connected: device.firmware_check() if not device.connected: failed_devices.append(device) self.append_callback('red', device.customer) continue if device.check_duplicate(devices, devices.index(device)): duplicates += 1 self.append_callback('blue', device.customer) continue executor.fmg_check(device) if device.fortimanager == 'enable': skipped_devices.append(device) self.append_callback('purple', device.customer) continue executor.vdom_check(device) if device.vdom_mode == 'enable': skipped_devices.append(device) self.append_callback('purple', device.customer) continue if Config().backup_enable.upper( ) == 'TRUE' and not '5.2' in device.firmware: executor.perform_backup(device) executor.run_command(device, cmd) device.logout() logging.debug('ping: device is still online') success_devices.append(device) self.append_callback('green', device.customer) self.status_callback(len(devices), len(success_devices), len(failed_devices), len(skipped_devices), duplicates) if sslconnected: sslconnected = False sslvpn.disconnect() # DELTE TEMPORARY FILES file = input_file_path + '/ca.cer' try: os.remove(file) except FileNotFoundError: logging.debug('certifiacte: source file not exist') # PRINT RESULT executor.run_summary(log_path, len(devices), len(success_devices), failed_devices, duplicates, skipped_devices) # REMOVE LOGGING HANDLERS for handler in logging.root.handlers[:]: logging.root.removeHandler(handler) self.end_callback()