def get_policy_vpn(engine): vpn_mappings = engine.vpn_mappings engine_internal_gw = engine.vpn.internal_gateway.name policy_vpn = [] _seen = [] if vpn_mappings: for mapping in vpn_mappings: mapped_vpn = mapping.vpn if mapped_vpn.name not in _seen: _vpn = {'name': mapped_vpn.name} vpn = PolicyVPN(mapped_vpn.name) vpn.open() nodes = vpn.central_gateway_node node_central = nodes.get_contains(engine_internal_gw) _vpn.update(central_node=True if node_central else False) if not node_central: # If it's a central node it can't be a satellite node nodes = vpn.satellite_gateway_node _vpn.update(satellite_node=True if nodes. get_contains(engine_internal_gw) else False) else: _vpn.update(satellite_node=False) if vpn.mobile_vpn_topology != 'None': mobile_node = vpn.mobile_gateway_node _vpn.update(mobile_gateway=True if mobile_node. get_contains(engine_internal_gw) else False) policy_vpn.append(_vpn) vpn.close() _seen.append(mapped_vpn.name) return policy_vpn
def get_policy_vpn(engine): """ Policy VPN settings for the engine. This should be modified to leverage SMC 6.3.4 optimizations under engine.vpn_mappings. :return: dict of policy VPN settings """ try: vpn_mappings = engine.vpn_mappings except UnsupportedEngineFeature: return engine_internal_gw = engine.vpn.internal_gateway.name policy_vpn = [] _seen = [] if vpn_mappings: for mapping in vpn_mappings: mapped_vpn = mapping.vpn if mapped_vpn.name not in _seen: _vpn = {'name': mapped_vpn.name} vpn = PolicyVPN(mapped_vpn.name) vpn.open() nodes = vpn.central_gateway_node node_central = nodes.get_contains(engine_internal_gw) _vpn.update(central_gateway=True if node_central else False) if not node_central: # If it's a central node it can't be a satellite node nodes = vpn.satellite_gateway_node _vpn.update(satellite_gateway=True if nodes.get_contains(engine_internal_gw) else False) else: _vpn.update(satellite_node=False) if vpn.mobile_vpn_topology != 'None': mobile_node = vpn.mobile_gateway_node _vpn.update(mobile_gateway=True if mobile_node.get_contains(engine_internal_gw) else False) policy_vpn.append(_vpn) vpn.close() _seen.append(mapped_vpn.name) return policy_vpn
external_gateway.external_endpoint.create(name="myendpoint", address="2.2.2.2") """ Lastly, 'sites' need to be configured that identify the network/s on the other end of the VPN. You can either use pre-existing network elements, or create new ones as in the example below. Then add this site to the external gateway """ network = Network.create("remote-network", "1.1.1.0/24").href external_gateway.vpn_site.create("remote-site", [network]) """ Retrieve the internal gateway for SMC managed engine by loading the engine configuration. The internal gateway reference is located as engine.internal_gateway.href """ engine = Engine("testfw").load() """ Create the VPN Policy """ vpn = PolicyVPN.create(name="myVPN", nat=True) print(vpn.name, vpn.vpn_profile) vpn.open() vpn.add_central_gateway(engine.internal_gateway.href) vpn.add_satellite_gateway(external_gateway.href) vpn.save() vpn.close() session.logout()
external_gateway.external_endpoint.create(name='myendpoint', address='2.2.2.2') """ Lastly, 'sites' need to be configured that identify the network/s on the other end of the VPN. You can either use pre-existing network elements, or create new ones as in the example below. Then add this site to the external gateway """ network = Network.create('remote-network', '1.1.1.0/24').href external_gateway.vpn_site.create('remote-site', [network]) """ Retrieve the internal gateway for SMC managed engine by loading the engine configuration. The internal gateway reference is located as engine.internal_gateway.href """ engine = Engine('testfw').load() """ Create the VPN Policy """ vpn = PolicyVPN.create(name='myVPN', nat=True) print vpn.name, vpn.vpn_profile vpn.open() vpn.add_central_gateway(engine.internal_gateway.href) vpn.add_satellite_gateway(external_gateway.href) vpn.save() vpn.close() session.logout()
def exec_module(self, **kwargs): state = kwargs.pop('state', 'present') for name, value in kwargs.items(): setattr(self, name, value) for gw in [self.central_gw, self.satellite_gw]: if gw: self._validate_subspec(gw) changed = False vpn = self.fetch_element(PolicyVPN) #Element or None try: if state == 'present': lock = False # Used to flag whether policy needs to be locked if self.gateway_tunnel: self._validate_tunnel(self.gateway_tunnel) lock = True if self.central_gw: self._validate_external_gw(self.central_gw) self.central_gw = resolve_gw(self.central_gw) lock = True if self.satellite_gw: self._validate_external_gw(self.satellite_gw) self.satellite_gw = resolve_gw(self.satellite_gw) lock = True if not vpn: vpn = PolicyVPN.create( name=self.name, nat=self.apply_nat, vpn_profile=self.vpn_profile) changed = True # Update profile if provided and they are different if self.vpn_profile: if vpn.vpn_profile.name != self.vpn_profile: pf = VPNProfile(self.vpn_profile).href vpn.update(vpn_profile=pf) changed = True # Make sure NAT setting matches if vpn.nat != self.apply_nat: vpn.enable_disable_nat() vpn.update() changed = True if lock: vpn.open() if add_central_gateway(vpn, self.central_gw): changed = True if add_satellite_gateway(vpn, self.satellite_gw): changed = True if self.gateway_tunnel: for gateway in self.gateway_tunnel: if change_gateway_tunnel(vpn, gateway): changed = True vpn.save() vpn.close() if self.tags: if self.add_tags(vpn, self.tags): changed = True elif state == 'absent': # If no gateways are provided, delete the whole VPN if not self.central_gw and not self.satellite_gw and not self.tags: if vpn: vpn.delete() changed = True else: if vpn: lock = False if self.central_gw: self.central_gw = resolve_gw(self.central_gw) lock = True if self.satellite_gw: self.satellite_gw = resolve_gw(self.satellite_gw) lock = True if lock: vpn.open() if delete_central_gateway(vpn, self.central_gw): changed = True if delete_satellite_gateway(vpn, self.satellite_gw): changed = True vpn.save() vpn.close() if self.tags: if self.remove_tags(vpn, self.tags): changed = True except SMCException as err: self.fail(msg=str(err), exception=traceback.format_exc()) self.results['changed'] = changed return self.results
def create(self, name, sources=None, destinations=None, services=None, action='allow', log_options=None, is_disabled=False, vpn_policy=None, add_pos=None, after=None, before=None, sub_policy=None, comment=None, **kw): """ Create a layer 3 firewall rule :param str name: name of rule :param sources: source/s for rule :type sources: list[str, Element] :param destinations: destination/s for rule :type destinations: list[str, Element] :param services: service/s for rule :type services: list[str, Element] :param action: allow,continue,discard,refuse,enforce_vpn, apply_vpn,blacklist (default: allow) :type action: Action or str :param LogOptions log_options: LogOptions object :param str: vpn_policy: vpn policy name; required for enforce_vpn and apply_vpn actions :param str,Element sub_policy: sub policy required when rule has an action of 'jump'. Can be the FirewallSubPolicy element or href. :param int add_pos: position to insert the rule, starting with position 1. If the position value is greater than the number of rules, the rule is inserted at the bottom. If add_pos is not provided, rule is inserted in position 1. Mutually exclusive with ``after`` and ``before`` params. :param str after: Rule tag to add this rule after. Mutually exclusive with ``add_pos`` and ``before`` params. :param str before: Rule tag to add this rule before. Mutually exclusive with ``add_pos`` and ``after`` params. :param str comment: optional comment for this rule :raises MissingRequiredInput: when options are specified the need additional setting, i.e. use_vpn action requires a vpn policy be specified. :raises CreateRuleFailed: rule creation failure :return: the created ipv4 rule :rtype: IPv4Rule """ rule_values = self.update_targets(sources, destinations, services) rule_values.update(name=name, comment=comment) if isinstance(action, Action): rule_action = action else: rule_action = Action() rule_action.action = action if not rule_action.action in self._actions: raise CreateRuleFailed('Action specified is not valid for this ' 'rule type; action: {}'.format( rule_action.action)) if rule_action.action in ['apply_vpn', 'enforce_vpn', 'forward_vpn']: if vpn_policy is None: raise MissingRequiredInput( 'A VPN policy must be specified when ' 'rule action has a VPN action') try: vpn = PolicyVPN(vpn_policy).href rule_action.vpn = vpn except ElementNotFound: raise MissingRequiredInput( 'Cannot find VPN policy specified: {}, '.format( vpn_policy)) elif rule_action.action in ['jump']: try: rule_action.sub_policy = element_resolver(sub_policy) except ElementNotFound: raise MissingRequiredInput( 'Cannot find sub policy specified: {} '.format(sub_policy)) rule_values.update(action=rule_action.data) if log_options is None: log_options = LogOptions() auth_options = AuthenticationOptions() rule_values.update(options=log_options.data) rule_values.update(authentication_options=auth_options.data) rule_values.update(is_disabled=is_disabled) params = None href = self.href if add_pos is not None: href = self.add_at_position(add_pos) elif before or after: params = self.add_before_after(before, after) return SubElementCreator(self.__class__, CreateRuleFailed, href=href, params=params, json=rule_values)
""" Lastly, 'sites' need to be configured that identify the network/s on the other end of the VPN. You can either use pre-existing network elements, or create new ones as in the example below. Then add this site to the external gateway """ network = Network.create('remote-network', '1.1.1.0/24').href external_gateway.vpn_site.create('remote-site', [network]) """ Retrieve the internal gateway for SMC managed engine by loading the engine configuration. The internal gateway reference is located as engine.internal_gateway.href """ engine = Engine('testfw').load() """ Create the VPN Policy """ vpn = PolicyVPN.create(name='myVPN', nat=True) print vpn.name, vpn.vpn_profile vpn.open() vpn.add_central_gateway(engine.internal_gateway.href) vpn.add_satellite_gateway(external_gateway.href) vpn.save() vpn.close() session.logout()