def create_single_fw(): """ Create single layer 3 firewall for this example """ Layer3Firewall.create(name="testfw", mgmt_ip="192.168.10.1", mgmt_network="192.168.10.0/24")
def create_single_fw(): """ Create single layer 3 firewall for this example """ Layer3Firewall.create(name='testfw', mgmt_ip='192.168.10.1', mgmt_network='192.168.10.0/24')
def test_ospf_unicast(self): for profile in list(Search('ospfv2_interface_settings').objects.all()): if profile.name.startswith('Default OSPF'): interface_profile = profile.href area = OSPFArea.create(name='smcpython-area', interface_settings_ref=interface_profile, area_id=0) self.assertTrue(area.href.startswith('http')) area = OSPFArea('smcpython-area') engine = Layer3Firewall.create(name='smcpython-ospf', mgmt_ip='172.18.1.30', mgmt_network='172.18.1.0/24', domain_server_address=['8.8.8.8'], enable_ospf=True) self.assertIsInstance(engine, Engine) host = Host.create(name='smcpython-ospf-user', address='23.23.23.23') # Get routing resources for interface in engine.routing.all(): if interface.name == 'Interface 0': result = interface.add_ospf_area(area, communication_mode='unicast', unicast_ref=host) self.assertIsNone(result) engine.delete() area.delete() Host('smcpython-ospf-user').delete()
def test_create_unicode_name_firewall(self): fw = Layer3Firewall.create(name='ĂĂĂĂrdvark36', mgmt_ip='1.1.1.1', mgmt_network='1.1.1.0/24') self.assertEquals(fw.name, u'ĂĂĂĂrdvark36', 'unicode fw names do not match') for fw in list(Search('single_fw').objects.all()): if fw.name == u'ĂĂĂĂrdvark36': # Required b/c non-ascii. Otherwise use from futures import literals fw.delete()
def __call__(self, interfaces, default_gateway, location_name): """ Create NGFW :param list interfaces: dict of interface information :return: self """ # Location can be None if SMC is not behind NAT location = self.add_location(location_name) for interface in interfaces: address = interface.get('address') interface_id = interface.get('interface_id') network_value = interface.get('network_value') if interface_id == 0: mgmt_ip = address engine = Layer3Firewall.create( self.name, mgmt_ip=address, mgmt_network=network_value, domain_server_address=self.dns, reverse_connection=self.reverse_connection, default_nat=self.default_nat, enable_antivirus=self.antivirus, enable_gti=self.gti, location_ref=location) engine.add_route(default_gateway, '0.0.0.0/0') else: engine.physical_interface.add_single_node_interface( interface_id=interface_id, address=address, network_value=network_value) logger.info('Created NGFW successfully') self.engine = engine # Enable VPN on external interface if policy provided if self.vpn: try: vpn_policy = self.vpn['vpn_policy'] for intf in self.engine.internal_gateway.internal_endpoint.all( ): if intf.name == mgmt_ip: intf.modify_attribute(enabled=True, nat_t=True) role = self.vpn.get('vpn_role') if self.vpn.get( 'vpn_role') else 'central' VPNPolicy.add_internal_gateway_to_vpn( self.engine.internal_gateway.href, vpn_policy, role) except KeyError: pass
def single_fw(name, mgmt_ip, mgmt_network, mgmt_interface='0', dns=None): """ Create single firewall with a single management interface :param name: name of single layer 2 fw :param mgmt_ip: ip address for management layer 3 interface :param mgmt_network: netmask for management network :param mgmt_interface: interface id for l3 mgmt :param dns: dns servers for management interface (optional) :return: :py:class:`smc.core.engine.Engine` """ result = Layer3Firewall.create(name, mgmt_ip, mgmt_network, mgmt_interface=mgmt_interface, domain_server_address=dns) return result
def test_rename_engine(self): # Test renaming the engine engine = Layer3Firewall.create(name='smc-python', mgmt_ip='1.1.1.1', mgmt_network='1.1.1.0/24') self.assertIsInstance(engine, Engine) engine.rename('smc-python2') self.assertEqual(engine.name, 'smc-python2') for node in engine.nodes: self.assertTrue(node.name.startswith('smc-python2')) self.assertTrue(engine.internal_gateway.name.startswith('smc-python2')) engine.delete()
def setUp(self): session.login(url='http://172.18.1.150:8082', api_key='EiGpKD4QxlLJ25dbBEp20001', verify=True) try: global engine engine = Engine(running_firewall) except LoadEngineFailed: print("Running firewall engine NOT defined. ") raise global engine_not_initialized engine_not_initialized = Layer3Firewall.create( 'smc-python-api-nodetest', mgmt_ip='1.1.1.1', mgmt_network='1.1.1.0/24')
def test_create_layer3_firewall_and_add_ospf(self): for profile in list(Search('ospfv2_interface_settings').objects.all()): if profile.name.startswith('Default OSPF'): interface_profile = profile.href area = OSPFArea.create(name='smcpython-area', interface_settings_ref=interface_profile, area_id=0) self.assertTrue(area.href.startswith('http')) area = OSPFArea('smcpython-area') engine = Layer3Firewall.create(name='smcpython-ospf', mgmt_ip='172.18.1.30', mgmt_network='172.18.1.0/24', domain_server_address=['8.8.8.8'], enable_ospf=True) self.assertIsInstance(engine, Engine) # Add IPv6 to make sure OSPF is skipped for that interface engine.physical_interface.add_single_node_interface( interface_id=0, address='2001:db8:85a3::8a2e:370:7334', network_value='2001:db8:85a3::/64') # Get routing resources for interface in engine.routing.all(): # if interface.name == 'Interface 0': if interface.nicid == '0': # Apply OSPF 'area0' to interface 0 interface.add_ospf_area(area) for networks in interface.all(): # Traverse networks self.assertIn(networks.name, [ 'network-172.18.1.0/24', 'network-2001:db8:85a3::/64' ]) self.assertTrue(networks.level == 'network') # Add only to specified network for interface in engine.routing.all(): if interface.name == 'Interface 0': interface.add_ospf_area(area, network='172.18.1.0/24') engine.delete() area.delete()
def test_policy_upload(self): # This will just sit in the task queue because the engine will not be initialized, but still tests # that policy upload from policy itself triggers properly policy = FirewallPolicy.create(name='testpolicy', template='Firewall Inspection Template') engine = Layer3Firewall.create(name='temppolicy', mgmt_ip='1.1.1.1', mgmt_network='1.1.1.0/24') #self.assertRaises(TaskRunFailed, lambda: policy.upload(engine.name)) task = policy.upload(engine.name) self.assertTrue(task.follower.startswith('http')) time.sleep(5) # Force failure, engine does not exist self.assertRaises(TaskRunFailed, lambda: policy.upload('bogusfw')) # Abort queued task then delete policy for tasks in task_history(): if tasks.follower == task.follower and tasks.in_progress: print("Abort called") result = tasks.abort() # 204 delete successful, 400 if the operation is already being # aborted self.assertIsNone(result) status = task_status(task.follower) self.assertIsNotNone(status.in_progress) self.assertIsNone(tasks.foo) # Invalid task attribute engine.delete() # Try except required for SMC <6.2.1. BUG filed where abort timing will # fail on uninitialized engine after policy push try: policy.delete() except DeleteElementFailed: pass
def test_modify_rules(self): policy = FirewallPolicy.create(name='myfoopolicy', template='Firewall Inspection Template') Host.create(name='foobar', address='1.1.1.1') host = Host('foobar') # No action, default to Allow, position set, but no rules so added # normally policy.fw_ipv4_access_rules.create(name='myrule', sources=[host], add_pos=10) for rule in policy.fw_ipv4_access_rules.all(): if rule.name == 'myrule': self.assertEqual(rule.action.action, 'allow') self.assertIsInstance(rule.authentication_options, AuthenticationOptions) self.assertIsInstance(rule.options, LogOptions) self.assertFalse(rule.is_disabled) self.assertEqual(rule.parent_policy.name, 'myfoopolicy') self.assertTrue(rule.destinations.is_none) self.assertTrue(rule.services.is_none) self.assertFalse(rule.services.all()) for source in rule.sources.all(): self.assertEqual(source.name, 'foobar') rule.disable() rule.comment = 'mycomment' rule.services.set_any() rule.save() self.assertEqual(rule.comment, 'mycomment') self.assertTrue(rule.is_disabled) rule.enable() rule.save() self.assertFalse(rule.is_disabled) self.assertTrue(rule.services.is_any) rule.delete() Host('foobar').delete() policy.fw_ipv4_access_rules.create(name='myrule', sources='any', destinations=[Host('badhost')], action=Action()) # Will be returned as type "Element" engine = Layer3Firewall.create(name='tmpfw', mgmt_ip='1.1.1.1', mgmt_network='1.1.1.0/24') Host.create(name='boo', address='12.12.12.12') for rule in policy.fw_ipv4_access_rules.all(): if rule.name == 'myrule': self.assertTrue(rule.destinations.is_none) self.assertTrue(rule.action.action == 'allow') self.assertTrue(rule.sources.is_any) # Host doesn't exist, destinations will remain none rule.destinations.add(Host('blah')) rule.save() self.assertTrue(rule.destinations.is_none) rule.destinations.add_many([Host('boo'), engine]) rule.save() dests = list(rule.destinations.all()) self.assertTrue(len(dests) == 2) for x in rule.destinations.all(): self.assertIsInstance(x, Element) self.assertIn(x.name, ['tmpfw', 'boo']) # Test Match Expression DomainName.create('lepages.net') Zone.create('MyExZone') match = MatchExpression.create(name='mymatch', network_element=Host('boo'), domain_name=DomainName('lepages.net'), zone=Zone('MyExZone')) policy.fw_ipv4_access_rules.create(name='matchex', sources=[match], destinations='any', services='any') rule = policy.search_rule('matchex')[0] self.assertTrue(len(rule.sources.all()[0].values()) == 3) for source in rule.sources.all(): for values in source.values(): self.assertIn(values.name, ['boo', 'lepages.net', 'MyExZone']) # Test after and before rule position options # Need rule tag for rule we are inserting around rule = policy.search_rule('matchex')[0] policy.fw_ipv4_access_rules.create(name='ruleafter', after=rule.tag) policy.fw_ipv4_access_rules.create(name='rulebefore', before=rule.tag) gen = policy.fw_ipv4_access_rules.all() for x in gen: if x.name == 'rulebefore': break matchex = next(gen) ruleafter = next(gen) self.assertEqual(matchex.name, 'matchex') self.assertEqual(ruleafter.name, 'ruleafter') # Add a jump rule with self.assertRaises(MissingRequiredInput): policy.fw_ipv4_access_rules.create( name='jumprule', action='jump', sub_policy=FirewallSubPolicy('blahblah')) FirewallSubPolicy.create('subfoo') policy.fw_ipv4_access_rules.create( name='jumprule', action='jump', sub_policy=FirewallSubPolicy('subfoo')) rule = policy.search_rule('jumprule')[0] self.assertEqual(rule.action.action, 'jump') self.assertEqual(rule.action.sub_policy.href, FirewallSubPolicy('subfoo').href) policy.delete() DomainName('lepages.net').delete() Zone('MyExZone').delete() Host('boo').delete() time.sleep(3) engine.delete()
def test_NATRules(self): policy = FirewallPolicy.create(name='apitestpolicy', template='Firewall Inspection Template') Host.create('nathost', address='1.1.1.1') Host.create('sourcenat', address='2.2.2.2') engine = Layer3Firewall.create(name='natfw', mgmt_ip='1.1.1.1', mgmt_network='1.1.1.0/24') # Source NAT using port restrictions policy.fw_ipv4_nat_rules.create(name='dynsrcnat', sources='any', destinations=[Host('nathost')], services='any', dynamic_src_nat='2.2.2.2', dynamic_src_nat_ports=(30000, 35000)) # Dest NAT by IP policy.fw_ipv4_nat_rules.create(name='dstnat', sources='any', destinations=[Host('nathost')], services='any', static_dst_nat='3.3.3.3') # Destination field cannot be any or none with dest NAT with self.assertRaises(InvalidRuleValue): policy.fw_ipv4_nat_rules.create(name='foo', sources='any', destinations='any', services='any', static_dst_nat='3.3.3.3') # Source and Dest NAT policy.fw_ipv4_nat_rules.create(name='dstandsrcnat', sources='any', destinations=[Host('sourcenat')], services='any', dynamic_src_nat='5.5.5.5', static_dst_nat='3.3.3.3', static_dst_nat_ports=(22, 2222)) policy.fw_ipv4_nat_rules.create(name='nonatrule', sources='any', destinations='any', services='any') # Static src NAT if is_min_required_smc_version('6.1.2'): policy.fw_ipv4_nat_rules.create(name='static_src_nat', sources=[Host('sourcenat')], destinations='any', static_src_nat='1.1.1.1') else: with self.assertRaises(CreateRuleFailed): policy.fw_ipv4_nat_rules.create(name='static_src_nat', sources=[Host('sourcenat')], destinations='any', static_src_nat='1.1.1.1') # Invalid rule with self.assertRaises(CreateRuleFailed): policy.fw_ipv4_nat_rules.create(name='foo', sources='any', destinations=['any'], services='any', static_dst_nat='1.1.1.1') for rule in policy.fw_ipv4_nat_rules.all(): self.assertIsInstance(rule, IPv4NATRule) if rule.name == 'dynsrcnat': self.assertEqual(rule.dynamic_src_nat.translated_value, '2.2.2.2') # Not valid for dyn src nat self.assertIsNone(rule.dynamic_src_nat.original_value) self.assertEqual(rule.dynamic_src_nat.translated_ports, (30000, 35000)) elif rule.name == 'dstnat': if is_min_required_smc_version('6.1.2'): self.assertEqual(rule.static_dst_nat.translated_value, '3.3.3.3') self.assertEqual(rule.static_dst_nat.original_value, '1.1.1.1') else: # Version 6.1.1 self.assertEqual(rule.static_dst_nat.translated_value, '3.3.3.3') self.assertEqual(rule.static_dst_nat.original_value, Host('nathost').href) elif rule.name == 'dstandsrcnat': self.assertEqual(rule.dynamic_src_nat.translated_ports, (1024, 65535)) self.assertEqual(rule.dynamic_src_nat.translated_value, '5.5.5.5') self.assertEqual(rule.static_dst_nat.translated_value, '3.3.3.3') source_port, dest_port = rule.static_dst_nat.translated_ports self.assertEqual(source_port, 22) self.assertEqual(dest_port, 2222) elif rule.name == 'nonatrule': self.assertFalse(rule.static_src_nat.has_nat) self.assertFalse(rule.dynamic_src_nat.has_nat) self.assertFalse(rule.static_dst_nat.has_nat) # Test unsed on attribute self.assertIsNone(rule.used_on) # Catch the ElementNotFound, no change rule.used_on = Host('nonexistanthost') self.assertIsNone(rule.used_on) rule.used_on = engine self.assertEqual(rule.used_on.name, 'natfw') # IPv6 NAT Host.create(name='myipv6', ipv6_address='2001:0db8:85a3:0000:0000:8a2e:0370:7334') policy.fw_ipv6_nat_rules.create(name='mynat', sources=[Host('myipv6')], destinations='any', services='any', dynamic_src_nat='2001:db8::2:1') rule_matches = policy.search_rule('nonatrule') self.assertIsInstance(rule_matches[0], IPv4NATRule) no_rule_match = policy.search_rule('blahblahfoo') self.assertTrue(len(no_rule_match) == 0) engine.delete() policy.delete() Host('nathost').delete() Host('sourcenat').delete() Host('myipv6').delete()
Specify a policy to upload once the single FW instance has made the initial contact. This will be queued and kick off once the contact is complete. Generate the initial contact information for sg-reconfigure on the virtual or appliance. """ from smc import session from smc.core.engines import Layer3Firewall if __name__ == '__main__': session.login(url='http://172.18.1.25:8082', api_key='4366TuolHMJp3nHaUeF60001') # Create base engine specifying management IP info and management # interface number engine = Layer3Firewall.create('myfirewall', mgmt_ip='172.18.1.160', mgmt_network='172.18.1.0/24', mgmt_interface=0, domain_server_address=['8.8.8.8']) if engine: print "Successfully created Layer 3 firewall, adding interfaces.." # Create a new physical interface for single firewall engine.physical_interface.add_single_node_interface( interface_id=1, address='1.1.1.1', network_value='1.1.1.0/24') # Create a second interface using VLANs and assign IP info engine.physical_interface.add_vlan_to_single_node_interface( interface_id=2, address='2.2.2.2', network_value='2.2.2.0/24',
def exec_module(self, **kwargs): state = kwargs.pop('state', 'present') for name, value in kwargs.items(): setattr(self, name, value) changed = False engine = self.fetch_element(Layer3Firewall) try: if state == 'present': if not engine: # Find interface designated as management if not self.interfaces: self.fail( msg= 'You must define at least 1 interface when creating a NGFW' ) # Internal Endpoints are referenced by their IP address enable_vpn = [] mgmt_index = None for num, value in enumerate(self.interfaces): if 'interface_id' not in value: self.fail( msg= 'Interface requires at least interface_id be ' 'defined.') if value.get('type', None) == 'tunnel_interface' and \ ('address' not in value or 'network_value' not in value): self.fail( msg= 'Missing either address or network_value for tunnel interface' ) if str(value.get('interface_id')) == str( self.mgmt_interface): mgmt_index = num vpn = value.pop('enable_vpn', None) if vpn: # True enable_vpn.append(value['address']) if mgmt_index is None: self.fail( msg= 'Management interface definition not found in interfaces. ' 'Management interface specified: {}'.format( self.mgmt_interface)) if self.check_mode: return self.results mgmt = self.interfaces.pop(mgmt_index) engine = Layer3Firewall.create( name=self.name, mgmt_ip=mgmt.get('address'), mgmt_network=mgmt.get('network_value'), mgmt_interface=self.mgmt_interface, log_server_ref=self.log_server, default_nat=self.default_nat, domain_server_address=self.domain_server_address, enable_antivirus=self.enable_antivirus, enable_gti=self.enable_gti, location_ref=self.location, enable_ospf=self.enable_ospf, sidewinder_proxy_enabled=self.enable_sidewinder_proxy, ospf_profile=None, interfaces=self.interfaces) if enable_vpn: for internal_gw in engine.vpn_endpoint: if internal_gw.name in enable_vpn: internal_gw.update(enabled=True) if self.tags: if self.add_tags(engine, self.tags): changed = True changed = True else: # Engine exists, check for modifications # Start with engine properties.. status = engine.default_nat.status if self.default_nat: if not status: engine.default_nat.enable() changed = True else: # False or None if status: engine.default_nat.disable() changed = True status = engine.antivirus.status if self.enable_antivirus: if not status: engine.antivirus.enable() changed = True else: if status: engine.antivirus.disable() changed = True dns = [d.value for d in engine.dns] missing = [ entry for entry in self.domain_server_address if entry not in dns ] # Remove unneeded unneeded = [ entry for entry in dns if entry not in self.domain_server_address if entry is not None ] if missing: engine.dns.add(missing) changed = True if unneeded: engine.dns.remove(unneeded) changed = True if self.check_mode: return self.results # Update checkpoint. Adding and removing interfaces will # already automatically update the engine. if changed: engine.update() # Interfaces to enable VPN enable_vpn = {} # Iterate the interfaces. Add interfaces that do not exist. # Then remove interfaces that are not defined in the # playbook yml. for interface in self.interfaces: interface_id = interface['interface_id'] try: itf = engine.interface.get(interface_id) # If this interface does not have IP addresses assigned, # then assign. It is not currently possible to unassign # addresses. Instead, delete the interface if 'address' in interface and 'network_value' in interface: if 'enable_vpn' in interface: enable_vpn[interface.get( 'address')] = interface.pop( 'enable_vpn') addresses = itf.addresses if not addresses: engine.physical_interface.add_layer3_interface( **interface) changed = True else: # Has addresses, change if different for sub in itf.interfaces: if sub.address != interface['address']: itf.change_single_ipaddress( address=interface['address'], network_value=interface[ 'network_value']) changed = True except InterfaceNotFound: if 'address' in interface and 'network_value' in interface: if interface.get('type', None) == 'tunnel_interface': engine.tunnel_interface.add_single_node_interface( tunnel_id=interface_id, address=interface['address'], network_value=interface[ 'network_value'], zone_ref=interface.get( 'zone_ref', None)) changed = True else: if 'enable_vpn' in interface: enable_vpn[interface.get( 'address')] = interface.pop( 'enable_vpn') engine.physical_interface.add_layer3_interface( **interface) changed = True else: # Interface with no addresses, ignore enable_vpn engine.physical_interface.add( interface_id, zone_ref=interface.get('zone_ref', None)) changed = True # Check the VPN settings for the interfaces. If you want # to explicitly disable VPN, set enable_vpn: False in the # playbook for vpn in engine.vpn_endpoint: if vpn.name in enable_vpn: #self.fail(msg="VPN name in: %s" % vpn.name) if not vpn.enabled and enable_vpn.get(vpn.name): vpn.update(enabled=True) changed = True elif vpn.enabled and not enable_vpn.get(vpn.name): vpn.update(enabled=False) changed = True if self.tags: if self.add_tags(engine, self.tags): changed = True else: if self.clear_tags(engine): changed = True self.results.update(state=engine.data, changed=changed) elif state == 'absent': if engine: engine.delete() changed = True except SMCException as err: self.fail(msg=str(err), exception=traceback.format_exc()) self.results['changed'] = changed return self.results
Specify a policy to upload once the single FW instance has made the initial contact. This will be queued and kick off once the contact is complete. Generate the initial contact information for sg-reconfigure on the virtual or appliance. """ from smc import session from smc.core.engines import Layer3Firewall if __name__ == '__main__': session.login(url='http://172.18.1.25:8082', api_key='4366TuolHMJp3nHaUeF60001') # Create base engine specifying management IP info and management # interface number engine = Layer3Firewall.create('myfirewall', mgmt_ip='172.18.1.160', mgmt_network='172.18.1.0/24', mgmt_interface=0, domain_server_address=['8.8.8.8']) if engine: print "Successfully created Layer 3 firewall, adding interfaces.." # Create a new physical interface for single firewall engine.physical_interface.add_single_node_interface(interface_id=1, address='1.1.1.1', network_value='1.1.1.0/24') # Create a second interface using VLANs and assign IP info engine.physical_interface.add_vlan_to_single_node_interface(interface_id=2, address='2.2.2.2', network_value='2.2.2.0/24',
Interface 0 """ for profile in describe_ospfv2_interface_settings(): if profile.name.startswith('Default OSPF'): profile_ref = profile.href area = OSPFArea.create(name='area0', interface_settings_ref=profile_ref, area_id=0) area = OSPFArea('area0') # obtain resource # Create layer 3 firewall and enable OSPF, using the default system # OSPFProfile engine = Layer3Firewall.create(name='ospf-fw', mgmt_ip='172.18.1.30', mgmt_network='172.18.1.0/24', domain_server_address=['8.8.8.8'], enable_ospf=True) # Get routing resources for this newly created engine for interface in engine.routing.all(): if interface.name == 'Interface 0': # Apply OSPF 'area0' to interface 0 result = interface.add_ospf_area(area) if result.href: print "Success!" else: print "Failed with message: %s" % result.msg session.logout()
def test_layer3_engine_methods(self): # Test each of the top level engine methods engine = Layer3Firewall.create(name='smcpython-fw', mgmt_ip='1.1.1.1', mgmt_network='1.1.1.0/24') self.assertIsInstance(engine, Engine) if session.api_version >= 6.1: test = Engine('smcpython-fw') self.assertTrue(test.type == 'single_fw') self.assertTrue(test.href.startswith('http')) self.assertTrue(test.version is None) self.assertTrue(isinstance(test.nodes, list)) # Modify an attribute, i.e. antivirus: self.assertTrue( engine.modify_attribute( antivirus={ 'antivirus_enabled': False, 'antivirus_update': 'daily', 'antivirus_update_day': 'mo', 'antivirus_update_time': 21600000, 'virus_log_level': 'none', 'virus_mirror': 'update.nai.com/Products/CommonUpdater' }).startswith('http')) # Test Fail load using wildcard Host.create('testengine', '1.1.1.1') Host.create('testengine2', '2.2.2.2') with self.assertRaises(ElementNotFound): foo = Engine('testengine*') foo.href Host('testengine').delete() Host('testengine2').delete() # Engine type self.assertEqual(engine.type, 'single_fw') # Get the node type self.assertEqual(engine.nodes[0].type, 'firewall_node') # Iterate nodes for node in engine.nodes: self.assertIsInstance(repr(node), str) self.assertIsInstance(node, Node) # Get permissions, only for SMC API >- 6.1 if session.api_version >= 6.1: for x in engine.permissions: self.assertIsInstance(x, AccessControlList) else: self.assertRaises(UnsupportedEngineFeature, lambda: engine.permissions()) # Get aliases aliases = engine.alias_resolving() for alias in aliases: self.assertIsInstance(alias, Alias) self.assertIsNotNone(alias.name) self.assertTrue(alias.href.startswith('http')) self.assertIsInstance(alias.resolved_value, list) # Resolve the IP address alias for this engine alias = Alias('$$ Interface ID 0.ip') self.assertIn('1.1.1.1', alias.resolve('smcpython-fw')) # Blacklist, will fail as engine is not live or connected to SMC self.assertRaises(EngineCommandFailed, lambda: engine.blacklist('1.1.1.1/32', '0.0.0.0/0')) # Blacklist flush, same as above self.assertRaises(EngineCommandFailed, lambda: engine.blacklist_flush()) # Add route, valid result = engine.add_route('1.1.1.254', '192.168.1.0/24') self.assertIsNone(result) # Add route, invalid, msg attribute set self.assertRaises(EngineCommandFailed, lambda: engine.add_route('2.2.2.2', '10.10.10.0/22')) # Get routes, will catch SMCConnectionException because the engine doesnt # exist and will be unresponsive. It should catch and return empty list # A response is sent back in 6.1.2, but should be none if is_min_required_smc_version('6.1.2'): self.assertRaises(EngineCommandFailed, lambda: engine.routing_monitoring) else: # Timeout in version 6.1.1 or earlier self.assertRaises(EngineCommandFailed, lambda: engine.routing_monitoring) # Get antispoofing info Network.create(name='network-10.1.2.0/24', ipv4_network='10.1.2.0/24') spoofing = engine.antispoofing self.assertIsInstance(spoofing, Antispoofing) for entry in engine.antispoofing.all(): if entry.name == 'Interface 0': self.assertEqual(entry.level, 'interface') self.assertEqual(entry.validity, 'enable') entry.add(Network('network-10.1.2.0/24')) # Look for our network for entry in engine.antispoofing.all(): if entry.name == 'Interface 0': for network in entry.all(): if network.name == 'network-10.1.2.0/24': self.assertEqual(network.ip, '10.1.2.0/24') self.assertTrue( engine.internal_gateway.name.startswith('smcpython-fw')) # Get internal gateway for gw in engine.internal_gateway.internal_endpoint.all(): self.assertEqual(gw.name, '1.1.1.1') # matches interface IP # Get vpn sites for sites in engine.internal_gateway.vpn_site.all(): self.assertTrue( sites.name.startswith('Automatic Site for smcpython-fw')) # Gen certificate for internal gateway, fail because engine can't gen # cert v = VPNCertificate('myorg', 'foo.org') self.assertRaises( CertificateError, lambda: engine.internal_gateway.generate_certificate(v)) # Gateway certificate request, not implemented as of 0.3.7 self.assertTrue( len(engine.internal_gateway.gateway_certificate()) == 0) # Gateway certificate, not implemented as of 0.3.7 self.assertTrue( len(engine.internal_gateway.gateway_certificate_request()) == 0) # Get a virtual resource on non supported device type self.assertRaises(UnsupportedEngineFeature, lambda: engine.virtual_resource) # Get interfaces for intf in engine.interface.all(): self.assertEqual(intf.name, 'Interface 0') # Get virtual physical interface, not supported on layer 3 engine self.assertRaises(UnsupportedInterfaceType, lambda: engine.virtual_physical_interface) # Get modem interfaces self.assertTrue(len(engine.modem_interface) == 0) # Get adsl interfaces self.assertTrue(len(engine.adsl_interface) == 0) # Get wireless interface self.assertTrue(len(engine.wireless_interface) == 0) # Get switch interface self.assertTrue(len(engine.switch_physical_interface) == 0) # Get tunnel interfaces engine.tunnel_interface.add_single_node_interface( tunnel_id=1000, address='2.2.2.2', network_value='2.2.2.0/24') intf = engine.interface.get(1000) self.assertIsInstance(intf, TunnelInterface) # Query tunnel interfaces for intf in engine.tunnel_interface.all(): self.assertEqual(intf.name, 'Tunnel Interface 1000') # Refresh policy, fails as engine not ready self.assertRaises(TaskRunFailed, lambda: engine.refresh()) # Upload, policy doesn't exist self.assertRaises(TaskRunFailed, lambda: engine.upload(policy='foo')) # Generate snapshot #TODO: Bug with self.assertRaises(EngineCommandFailed): engine.generate_snapshot() # See snapshots. Policy hasnt been pushed yet so they wont exist self.assertTrue(len(list(engine.snapshots)) == 0) # Delete engine.delete() Network('network-10.1.2.0/24').delete()
def test_add_VPN_external_and_satellite_gw(self): firewall_central = Layer3Firewall.create('centralfw', mgmt_ip='1.1.1.1', mgmt_network='1.1.1.0/24') self.assertIsInstance(firewall_central, Engine) firewall_satellite = Layer3Firewall.create('satellitefw', mgmt_ip='2.2.2.2', mgmt_network='2.2.2.0/24') self.assertIsInstance(firewall_satellite, Engine) policy = VPNPolicy.create(name='tmptestvpn') self.assertIsInstance(policy, VPNPolicy) self.assertTrue( VPNPolicy.add_internal_gateway_to_vpn( firewall_central.internal_gateway.href, vpn_policy='tmptestvpn', vpn_role='central')) self.assertTrue( VPNPolicy.add_internal_gateway_to_vpn( firewall_satellite.internal_gateway.href, vpn_policy='tmptestvpn', vpn_role='satellite')) # Invalid vpn policy self.assertFalse( VPNPolicy.add_internal_gateway_to_vpn( firewall_central.internal_gateway.href, vpn_policy='foobar')) with self.assertRaises(PolicyCommandFailed): policy.close() policy.open() for gw in policy.central_gateway_node.all(): self.assertFalse(list(gw.disabled_sites)) for site in list(gw.enabled_sites): self.assertTrue('centralfw' in site.name) site.enable_disable() for site in list(gw.disabled_sites): self.assertTrue('centralfw' in site.name) site.enable_disable() for site in list(gw.enabled_sites): self.assertTrue('centralfw' in site.name) # Test the nodes for gw in policy.central_gateway_node.all(): self.assertIsInstance(gw, GatewayNode) self.assertTrue(gw.name.startswith('centralfw')) central_site = list(gw.enabled_sites) self.assertIsInstance(central_site[0], GatewayTreeNode) self.assertFalse(list(gw.disabled_sites)) gw.delete() for gw in policy.satellite_gateway_node.all(): self.assertIsInstance(gw, GatewayNode) self.assertTrue(gw.name.startswith('satellitefw')) gw.delete() for mobilegw in policy.mobile_gateway_node.all(): self.assertIsInstance(mobilegw, GatewayNode) self.assertIsNotNone(policy.validate()) # Already deleted gw's self.assertIsInstance(policy.gateway_tunnel(), list) policy.save() policy.close() # Delete VPN policy.delete() # Delete FW's firewall_central.delete() firewall_satellite.delete()
create a layer 3 firewall, enabling OSPF and applying the OSPF Area to Interface 0 """ for profile in describe_ospfv2_interface_settings(): if profile.name.startswith('Default OSPF'): profile_ref = profile.href area = OSPFArea.create(name='area0', interface_settings_ref=profile_ref, area_id=0) area = OSPFArea('area0') #obtain resource #Create layer 3 firewall and enable OSPF, using the default system #OSPFProfile engine = Layer3Firewall.create(name='ospf-fw', mgmt_ip='172.18.1.30', mgmt_network='172.18.1.0/24', domain_server_address=['8.8.8.8'], enable_ospf=True) #Get routing resources for this newly created engine for interface in engine.routing.all(): if interface.name == 'Interface 0': result = interface.add_ospf_area( area) #Apply OSPF 'area0' to interface 0 if result.href: print "Success!" else: print "Failed with message: %s" % result.msg session.logout()
def test_create_engine_add_bgp_peering(self): engine = Layer3Firewall.create(name='myfw', mgmt_ip='1.1.1.1', mgmt_network='1.1.1.0/24') engine.physical_interface.add_single_node_interface( interface_id=0, address='5.5.5.5', network_value='5.5.5.0/24') Network.create(name='bgpnet', ipv4_network='2.2.2.0/24') AutonomousSystem.create(name='aws_as', as_number=20000) engine.enable_bgp(autonomous_system=AutonomousSystem('aws_as'), announced_networks=[Network('bgpnet')]) BGPPeering.create(name='mypeer') ExternalBGPPeer.create(name='neighbor', neighbor_as_ref=AutonomousSystem('aws_as'), neighbor_ip='3.3.3.3') # Only add to a single network for route in engine.routing.all(): if route.nicid == '0': route.add_bgp_peering(BGPPeering('mypeer'), ExternalBGPPeer('neighbor'), network='5.5.5.0/24') # Traverse the nested routing tree.. for route in engine.routing.all(): if route.nicid == '0': for bgp_peering in route.all(): if bgp_peering.ip == '5.5.5.0/24': for peering in bgp_peering.all(): # BGPPeering self.assertEqual(peering.name, 'mypeer') for external_peer in peering.all( ): # ExternalBGPPeer self.assertEqual(external_peer.name, 'neighbor') engine.delete() # Add BGP to all interfaces engine = Layer3Firewall.create(name='myfw', mgmt_ip='1.1.1.1', mgmt_network='1.1.1.0/24') engine.physical_interface.add_single_node_interface( interface_id=0, address='5.5.5.5', network_value='5.5.5.0/24') # Only add to a single network interface = engine.routing.get(0) # for route in engine.routing.all(): # if route.nicid == '0': interface.add_bgp_peering(BGPPeering('mypeer'), ExternalBGPPeer('neighbor')) for route in engine.routing.all(): if route.nicid == '0': for bgp_peering in route.all(): for peering in bgp_peering.all(): self.assertEqual(peering.name, 'mypeer') # BGPPeering for external_peer in peering.all(): # ExternalBGPPeer self.assertEqual(external_peer.name, 'neighbor') engine.delete()