def get_policy_vpn(engine):
vpn_mappings = engine.vpn_mappings
engine_internal_gw = engine.vpn.internal_gateway.name
policy_vpn = []
_seen = []
if vpn_mappings:
for mapping in vpn_mappings:
mapped_vpn = mapping.vpn
if mapped_vpn.name not in _seen:
_vpn = {'name': mapped_vpn.name}
vpn = PolicyVPN(mapped_vpn.name)
vpn.open()
nodes = vpn.central_gateway_node
node_central = nodes.get_contains(engine_internal_gw)
_vpn.update(central_node=True if node_central else False)
if not node_central: # If it's a central node it can't be a satellite node
nodes = vpn.satellite_gateway_node
_vpn.update(satellite_node=True if nodes.
get_contains(engine_internal_gw) else False)
else:
_vpn.update(satellite_node=False)
if vpn.mobile_vpn_topology != 'None':
mobile_node = vpn.mobile_gateway_node
_vpn.update(mobile_gateway=True if mobile_node.
get_contains(engine_internal_gw) else False)
policy_vpn.append(_vpn)
vpn.close()
_seen.append(mapped_vpn.name)
return policy_vpn
def get_policy_vpn(engine):
"""
Policy VPN settings for the engine. This should be modified to leverage
SMC 6.3.4 optimizations under engine.vpn_mappings.
:return: dict of policy VPN settings
"""
try:
vpn_mappings = engine.vpn_mappings
except UnsupportedEngineFeature:
return
engine_internal_gw = engine.vpn.internal_gateway.name
policy_vpn = []
_seen = []
if vpn_mappings:
for mapping in vpn_mappings:
mapped_vpn = mapping.vpn
if mapped_vpn.name not in _seen:
_vpn = {'name': mapped_vpn.name}
vpn = PolicyVPN(mapped_vpn.name)
vpn.open()
nodes = vpn.central_gateway_node
node_central = nodes.get_contains(engine_internal_gw)
_vpn.update(central_gateway=True if node_central else False)
if not node_central: # If it's a central node it can't be a satellite node
nodes = vpn.satellite_gateway_node
_vpn.update(satellite_gateway=True if nodes.get_contains(engine_internal_gw) else False)
else:
_vpn.update(satellite_node=False)
if vpn.mobile_vpn_topology != 'None':
mobile_node = vpn.mobile_gateway_node
_vpn.update(mobile_gateway=True if mobile_node.get_contains(engine_internal_gw) else False)
policy_vpn.append(_vpn)
vpn.close()
_seen.append(mapped_vpn.name)
return policy_vpn
external_gateway.external_endpoint.create(name="myendpoint",
address="2.2.2.2")
"""
Lastly, 'sites' need to be configured that identify the network/s on the
other end of the VPN. You can either use pre-existing network elements, or create
new ones as in the example below.
Then add this site to the external gateway
"""
network = Network.create("remote-network", "1.1.1.0/24").href
external_gateway.vpn_site.create("remote-site", [network])
"""
Retrieve the internal gateway for SMC managed engine by loading the
engine configuration. The internal gateway reference is located as
engine.internal_gateway.href
"""
engine = Engine("testfw").load()
"""
Create the VPN Policy
"""
vpn = PolicyVPN.create(name="myVPN", nat=True)
print(vpn.name, vpn.vpn_profile)
vpn.open()
vpn.add_central_gateway(engine.internal_gateway.href)
vpn.add_satellite_gateway(external_gateway.href)
vpn.save()
vpn.close()
session.logout()
external_gateway.external_endpoint.create(name='myendpoint',
address='2.2.2.2')
"""
Lastly, 'sites' need to be configured that identify the network/s on the
other end of the VPN. You can either use pre-existing network elements, or create
new ones as in the example below.
Then add this site to the external gateway
"""
network = Network.create('remote-network', '1.1.1.0/24').href
external_gateway.vpn_site.create('remote-site', [network])
"""
Retrieve the internal gateway for SMC managed engine by loading the
engine configuration. The internal gateway reference is located as
engine.internal_gateway.href
"""
engine = Engine('testfw').load()
"""
Create the VPN Policy
"""
vpn = PolicyVPN.create(name='myVPN', nat=True)
print vpn.name, vpn.vpn_profile
vpn.open()
vpn.add_central_gateway(engine.internal_gateway.href)
vpn.add_satellite_gateway(external_gateway.href)
vpn.save()
vpn.close()
session.logout()
def exec_module(self, **kwargs):
state = kwargs.pop('state', 'present')
for name, value in kwargs.items():
setattr(self, name, value)
for gw in [self.central_gw, self.satellite_gw]:
if gw:
self._validate_subspec(gw)
changed = False
vpn = self.fetch_element(PolicyVPN) #Element or None
try:
if state == 'present':
lock = False # Used to flag whether policy needs to be locked
if self.gateway_tunnel:
self._validate_tunnel(self.gateway_tunnel)
lock = True
if self.central_gw:
self._validate_external_gw(self.central_gw)
self.central_gw = resolve_gw(self.central_gw)
lock = True
if self.satellite_gw:
self._validate_external_gw(self.satellite_gw)
self.satellite_gw = resolve_gw(self.satellite_gw)
lock = True
if not vpn:
vpn = PolicyVPN.create(
name=self.name,
nat=self.apply_nat,
vpn_profile=self.vpn_profile)
changed = True
# Update profile if provided and they are different
if self.vpn_profile:
if vpn.vpn_profile.name != self.vpn_profile:
pf = VPNProfile(self.vpn_profile).href
vpn.update(vpn_profile=pf)
changed = True
# Make sure NAT setting matches
if vpn.nat != self.apply_nat:
vpn.enable_disable_nat()
vpn.update()
changed = True
if lock:
vpn.open()
if add_central_gateway(vpn, self.central_gw):
changed = True
if add_satellite_gateway(vpn, self.satellite_gw):
changed = True
if self.gateway_tunnel:
for gateway in self.gateway_tunnel:
if change_gateway_tunnel(vpn, gateway):
changed = True
vpn.save()
vpn.close()
if self.tags:
if self.add_tags(vpn, self.tags):
changed = True
elif state == 'absent':
# If no gateways are provided, delete the whole VPN
if not self.central_gw and not self.satellite_gw and not self.tags:
if vpn:
vpn.delete()
changed = True
else:
if vpn:
lock = False
if self.central_gw:
self.central_gw = resolve_gw(self.central_gw)
lock = True
if self.satellite_gw:
self.satellite_gw = resolve_gw(self.satellite_gw)
lock = True
if lock:
vpn.open()
if delete_central_gateway(vpn, self.central_gw):
changed = True
if delete_satellite_gateway(vpn, self.satellite_gw):
changed = True
vpn.save()
vpn.close()
if self.tags:
if self.remove_tags(vpn, self.tags):
changed = True
except SMCException as err:
self.fail(msg=str(err), exception=traceback.format_exc())
self.results['changed'] = changed
return self.results
def create(self,
name,
sources=None,
destinations=None,
services=None,
action='allow',
log_options=None,
is_disabled=False,
vpn_policy=None,
add_pos=None,
after=None,
before=None,
sub_policy=None,
comment=None,
**kw):
"""
Create a layer 3 firewall rule
:param str name: name of rule
:param sources: source/s for rule
:type sources: list[str, Element]
:param destinations: destination/s for rule
:type destinations: list[str, Element]
:param services: service/s for rule
:type services: list[str, Element]
:param action: allow,continue,discard,refuse,enforce_vpn,
apply_vpn,blacklist (default: allow)
:type action: Action or str
:param LogOptions log_options: LogOptions object
:param str: vpn_policy: vpn policy name; required for enforce_vpn and apply_vpn
actions
:param str,Element sub_policy: sub policy required when rule has an action of 'jump'.
Can be the FirewallSubPolicy element or href.
:param int add_pos: position to insert the rule, starting with position 1. If
the position value is greater than the number of rules, the rule is inserted at
the bottom. If add_pos is not provided, rule is inserted in position 1. Mutually
exclusive with ``after`` and ``before`` params.
:param str after: Rule tag to add this rule after. Mutually exclusive with ``add_pos``
and ``before`` params.
:param str before: Rule tag to add this rule before. Mutually exclusive with ``add_pos``
and ``after`` params.
:param str comment: optional comment for this rule
:raises MissingRequiredInput: when options are specified the need additional
setting, i.e. use_vpn action requires a vpn policy be specified.
:raises CreateRuleFailed: rule creation failure
:return: the created ipv4 rule
:rtype: IPv4Rule
"""
rule_values = self.update_targets(sources, destinations, services)
rule_values.update(name=name, comment=comment)
if isinstance(action, Action):
rule_action = action
else:
rule_action = Action()
rule_action.action = action
if not rule_action.action in self._actions:
raise CreateRuleFailed('Action specified is not valid for this '
'rule type; action: {}'.format(
rule_action.action))
if rule_action.action in ['apply_vpn', 'enforce_vpn', 'forward_vpn']:
if vpn_policy is None:
raise MissingRequiredInput(
'A VPN policy must be specified when '
'rule action has a VPN action')
try:
vpn = PolicyVPN(vpn_policy).href
rule_action.vpn = vpn
except ElementNotFound:
raise MissingRequiredInput(
'Cannot find VPN policy specified: {}, '.format(
vpn_policy))
elif rule_action.action in ['jump']:
try:
rule_action.sub_policy = element_resolver(sub_policy)
except ElementNotFound:
raise MissingRequiredInput(
'Cannot find sub policy specified: {} '.format(sub_policy))
rule_values.update(action=rule_action.data)
if log_options is None:
log_options = LogOptions()
auth_options = AuthenticationOptions()
rule_values.update(options=log_options.data)
rule_values.update(authentication_options=auth_options.data)
rule_values.update(is_disabled=is_disabled)
params = None
href = self.href
if add_pos is not None:
href = self.add_at_position(add_pos)
elif before or after:
params = self.add_before_after(before, after)
return SubElementCreator(self.__class__,
CreateRuleFailed,
href=href,
params=params,
json=rule_values)
"""
Lastly, 'sites' need to be configured that identify the network/s on the
other end of the VPN. You can either use pre-existing network elements, or create
new ones as in the example below.
Then add this site to the external gateway
"""
network = Network.create('remote-network', '1.1.1.0/24').href
external_gateway.vpn_site.create('remote-site', [network])
"""
Retrieve the internal gateway for SMC managed engine by loading the
engine configuration. The internal gateway reference is located as
engine.internal_gateway.href
"""
engine = Engine('testfw').load()
"""
Create the VPN Policy
"""
vpn = PolicyVPN.create(name='myVPN', nat=True)
print vpn.name, vpn.vpn_profile
vpn.open()
vpn.add_central_gateway(engine.internal_gateway.href)
vpn.add_satellite_gateway(external_gateway.href)
vpn.save()
vpn.close()
session.logout()