def test_021_severely_limited_udp(self):
global app, app_web_filter, wan_limit_mbit
# only use 30% because QoS will limit to 10% and we want to make sure it takes effect
# really high levels will actually be limited by the untangle-vm throughput instead of QoS
# which can interfere with the test
targetSpeedMbit = str(wan_limit_mbit*.3)+"M"
if runtests.quick_tests_only:
raise unittest.SkipTest('Skipping a time consuming test')
# We will use iperf server and iperf for this test.
wan_IP = uvmContext.networkManager().getFirstWanAddress()
iperfAvailable = global_functions.verify_iperf_configuration(wan_IP)
if (not iperfAvailable):
raise unittest.SkipTest("Iperf server and/or iperf not available, skipping alternate port forwarding test")
# Enabled QoS
netsettings = uvmContext.networkManager().getNetworkSettings()
nuke_rules()
append_rule(create_single_condition_rule("DST_PORT","5000","SET_PRIORITY",1))
pre_UDP_speed = global_functions.get_udp_download_speed( receiverip=global_functions.iperf_server, senderip=remote_control.client_ip, targetRate=targetSpeedMbit )
# Create DST_PORT based rule to limit bandwidth
nuke_rules()
append_rule(create_single_condition_rule("DST_PORT","5000","SET_PRIORITY",7))
post_UDP_speed = global_functions.get_udp_download_speed( receiverip=global_functions.iperf_server, senderip=remote_control.client_ip, targetRate=targetSpeedMbit )
print_results( pre_UDP_speed, post_UDP_speed, (wan_limit_kbit/8)*0.1, pre_UDP_speed*.9 )
assert (post_UDP_speed < pre_UDP_speed*.9)
def test_015_qos_nobpass_custom_rules_tcp(self):
nuke_rules(self._app)
priority_level = 7
# Record average speed without bandwidth control configured
wget_speed_pre = global_functions.get_download_speed()
# Create SRC_ADDR based custom Q0S rule to limit bypass QoS
netsettings = copy.deepcopy(orig_network_settings_with_qos)
netsettings['qosSettings']['qosRules']["list"].append(
create_qos_custom_rule("SRC_ADDR", remote_control.client_ip,
priority_level))
uvmContext.networkManager().setNetworkSettings(netsettings)
# Download file and record the average speed in which the file was download
wget_speed_post = global_functions.get_download_speed(
download_server=target_server)
# Restore original network settings
uvmContext.networkManager().setNetworkSettings(
orig_network_settings_with_qos)
# Because the session is NOT bypassed, the QoS rule should not take effect
print_results(wget_speed_pre, wget_speed_post, wget_speed_pre * 0.1,
wget_speed_pre * limited_acceptance_ratio)
assert ((wget_speed_pre) and (wget_speed_post))
assert (
not (wget_speed_pre * limited_acceptance_ratio > wget_speed_post))
def test_045_dns_test_wan_offline(self):
if runtests.quick_tests_only:
raise unittest.SkipTest('Skipping a time consuming test')
if (len(indexOfWans) < 2):
raise unittest.SkipTest(
"Need at least two WANS for test_045_addDNSFailTestForWans")
nuke_rules()
orig_offline_count = offline_wan_count()
netsettings = uvmContext.networkManager().getNetworkSettings()
# Add a fake DNS for each of the interfaces
for wanIndexTup in indexOfWans:
wanIndex = wanIndexTup[0]
# set DNS values to fake DNS
set_interface_field(wanIndex, netsettings, 'v4StaticDns1',
'192.168.244.' + str(wanIndex))
set_interface_field(wanIndex, netsettings, 'v4StaticDns2',
'192.168.244.' + str(wanIndex))
set_interface_field(wanIndex, netsettings, 'v4AutoDns1Override',
'192.168.244.' + str(wanIndex))
set_interface_field(wanIndex, netsettings, 'v4AutoDns2Override',
'192.168.244.' + str(wanIndex))
uvmContext.networkManager().setNetworkSettings(netsettings)
for wanIndexTup in indexOfWans:
build_wan_test(wanIndex, "dns")
wait_for_wan_offline()
offline_count = offline_wan_count()
uvmContext.networkManager().setNetworkSettings(orig_netsettings)
assert (offline_count > orig_offline_count)
def test_021_shieldOffNmap(self):
# enable logging of blocked settings
netsettings = uvmContext.networkManager().getNetworkSettings()
netsettings['logBlockedSessions'] = True
netsettings['logBypassedSessions'] = True
uvmContext.networkManager().setNetworkSettings(netsettings)
settings = app.getSettings()
settings['shieldEnabled'] = False
app.setSettings(settings)
start_time = datetime.datetime.now()
result = remote_control.run_command(
"nmap -PN -sT -T5 --min-parallelism 15 -p10000-10100 1.2.3.5 2>&1 >/dev/null"
)
assert (result == 0)
events = global_functions.get_events('Shield',
'Blocked Session Events', None, 1)
assert (events != None)
found = global_functions.check_events(events.get('list'),
5,
'c_client_addr',
remote_control.client_ip,
's_server_addr',
'1.2.3.5',
min_date=start_time)
assert (not found)
def test_035_arp_test_wan_offline(self):
if runtests.quick_tests_only:
raise unittest.SkipTest('Skipping a time consuming test')
if (len(indexOfWans) < 2):
raise unittest.SkipTest(
"Need at least two WANS for test_035_addArpFailTestForWans")
nuke_rules()
orig_offline_count = offline_wan_count()
netsettings = uvmContext.networkManager().getNetworkSettings()
# Add a fake gateway for each of the interfaces
for wanIndexTup in indexOfWans:
wanIndex = wanIndexTup[0]
# set gateway to fake gateway
set_interface_field(wanIndex, netsettings, 'v4StaticGateway',
'192.168.244.' + str(wanIndex))
set_interface_field(wanIndex, netsettings, 'v4AutoGatewayOverride',
'192.168.244.' + str(wanIndex))
build_wan_test(wanIndex, "arp")
uvmContext.networkManager().setNetworkSettings(netsettings)
wait_for_wan_offline()
offline_count = offline_wan_count()
uvmContext.networkManager().setNetworkSettings(orig_netsettings)
assert (offline_count > orig_offline_count)
result = remote_control.is_online()
assert (result == 0)
def test_080_routedWanVsNetworkRoute(self):
# Test that Networking routes override routed rules in WAN Balancer
if (len(index_of_wans) < 2):
raise unittest.SkipTest("Need at least two WANS for test_080_routedWanVsNetworkRoute")
netsettings = netsettings = uvmContext.networkManager().getNetworkSettings()
nuke_wan_balancer_route_rules()
set_wan_weight("all", 0)
weightedIndexTup = index_of_wans[0]
routedIndexTup = index_of_wans[1]
set_wan_weight(weightedIndexTup[0], 100) # set primary to 100%
# configure route in network which uses the second WAN for test.untangle.com
routedIP = routedIndexTup[2]
routedIPGateway = routedIndexTup[3]
append_route_rule(create_route_rule(ip_address_testdestination,32,routedIPGateway))
result1 = global_functions.get_public_ip_address()
print("Routed IP %s and retrieved IP %s" % (routedIP, result1))
# Add WAN route IP to Balancer
build_single_wan_route_rule("DST_ADDR",ip_address_testdestination,weightedIndexTup[0])
result2 = global_functions.get_public_ip_address(extra_options="--no-check-certificate --secure-protocol=auto")
print("Routed IP %s and retrieved IP %s" % (routedIP, result2))
uvmContext.networkManager().setNetworkSettings(orig_netsettings)
assert (result1 == routedIP)
assert (result2 == routedIP)
def test_032_netSettingsAndCustomWGNetworks(self):
"""Test if changing the Network Settings LAN address DOES NOT update custom local networks in the WG app"""
# Address we want to test with
testingAddressNet = "192.168.90"
testingAddress = testingAddressNet + ".1"
testingDhcpStart = testingAddressNet + ".100"
testingDhcpEnd = testingAddressNet + ".200"
testingCustomWGAddr = "192.168.92.0/24"
# Pull out the current WG settings and the current Network Settings
origWGSettings = self._app.getSettings()
origNetSettings = uvmContext.networkManager().getNetworkSettings()
# Verify the WG settings don't already have this address stored
assert(testingAddressNet not in origWGSettings['networks'])
# deepcopy network settings for manipulation
newNetSettings = copy.deepcopy( origNetSettings )
# deepcopy WG settings for manipulation
newWGSettings = copy.deepcopy( origWGSettings )
# update WG settings with a custom configuration
newWGSettings['networks'] = testingCustomWGAddr
self._app.setSettings(newWGSettings)
# Verify custom configuration is returned with get settings
assert(testingCustomWGAddr in self._app.getSettings()['networks'])
# Find a DHCP LAN device and set it's address to the testing address
for intf in newNetSettings['interfaces']['list']:
if not intf['isWan']:
intf['v4StaticAddress'] = testingAddress
if intf['dhcpEnabled']:
intf['dhcpRangeStart'] = testingDhcpStart
intf['dhcpRangeEnd'] = testingDhcpEnd
break
# Set the settings to new config
uvmContext.networkManager().setNetworkSettings( newNetSettings )
# Test that the custom WG network exists in the latest WG networks list, and that the local networks are not
wgSettings = self._app.getSettings()
assert(testingAddressNet not in wgSettings['networks'])
assert(testingCustomWGAddr in wgSettings['networks'])
# Set app back to normal
self._app.setSettings(origWGSettings)
# Set network settings back to normal
uvmContext.networkManager().setNetworkSettings( origNetSettings )
# Get the WG settings again to verify
wgSettings = self._app.getSettings()
# Assert that old settings were set back properly
assert(testingAddressNet not in wgSettings['networks'])
assert(testingCustomWGAddr not in wgSettings['networks'])
def final_extra_tear_down(cls):
global appAD
# Restore original settings to return to initial settings
# print("orig_netsettings <%s>" % orig_netsettings)
uvmContext.networkManager().setNetworkSettings(orig_netsettings)
if appAD != None:
uvmContext.appManager().destroy(appAD.getAppSettings()["id"])
appAD = None
def test_110_networkRouteWanDown(self):
# create a network route and then down the wan which the route is set to
# if there are more than one WAN
if runtests.quick_tests_only:
raise unittest.SkipTest('Skipping a time consuming test')
if (len(index_of_wans) < 2):
raise unittest.SkipTest("Need at least two WANS for combination of wan-balancer and wan failover tests")
netsettings = uvmContext.networkManager().getNetworkSettings()
nuke_wan_balancer_rules()
for wanIndexTup in index_of_wans:
# Add networking route which does not handle re-routing if WAN is down
# get the WAN IP address which was source routed
wanIndex = wanIndexTup[0]
print("Testing interface: %s" % str(wanIndexTup))
sys.stdout.flush()
# Get the external IP of the interface selected.
routedIP = wanIndexTup[2]
wanGatewayIP = wanIndexTup[3]
netsettings['staticRoutes']['list']=[]
netsettings['staticRoutes']['list'].append(create_route_rule(ip_address_testdestination,32,wanGatewayIP))
uvmContext.networkManager().setNetworkSettings(netsettings)
# Test that only the routed interface is used 5 times
subprocess.check_output("ip route flush cache", shell=True)
for x in range(0, 5):
result = ""
timeout = 60
while (timeout > 0 and result == ""):
time.sleep(1)
timeout -= 1
result = remote_control.run_command("wget --timeout=4 -q -O - \"$@\" test.untangle.com/cgi-bin/myipaddress.py",stdout=True)
print("Network Routed IP %s and retrieved IP %s" % (routedIP, result))
assert (result == routedIP)
# now down the selected wan and see if traffic flows out the other wan
build_wan_test_rule(wanIndex, "ping", "192.168.244.1")
# Wait for targeted the WAN to be off line before testing that the WAN is off line.
timeout = 60
online = True
offlineWanIndex = wanIndex
while online and timeout > 0:
time.sleep(1)
timeout -= 1
wanStatus = app_wan_failover.getWanStatus()
for statusInterface in wanStatus['list']:
if statusInterface['interfaceId'] == offlineWanIndex:
print("Waiting on WAN %i to go offline... %s " % (wanIndex,str(statusInterface)))
sys.stdout.flush()
online = statusInterface['online']
subprocess.check_output("ip route flush cache", shell=True)
for x in range(0, 5):
result = global_functions.get_public_ip_address()
print("WAN Down Network Routed IP %s and retrieved IP %s" % (routedIP, result))
assert (result == routedIP)
# Remove failover rules
nuke_wan_failover_rules()
# Remove static routes
uvmContext.networkManager().setNetworkSettings(orig_netsettings)
def initial_extra_setup(cls):
global orig_network_settings, orig_network_settings_with_qos, orig_network_settings_without_qos, pre_down_speed_kbit, wan_limit_kbit, wan_limit_mbit, target_server
settings = cls._app.getSettings()
settings["configured"] = True
cls._app.setSettings(settings)
cls._app.start()
cls._app_web_filter = uvmContext.appManager().instantiate(
cls.appNameWF(), 1)
if orig_network_settings == None:
orig_network_settings = uvmContext.networkManager(
).getNetworkSettings()
# disable QoS
netsettings = copy.deepcopy(orig_network_settings)
netsettings['qosSettings']['qosEnabled'] = False
uvmContext.networkManager().setNetworkSettings(netsettings)
# measure speed
localTargetResult = subprocess.call(["ping", "-c", "1", target_server],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
if (localTargetResult != 0):
# local bandwidth target server not available so use test.untangle.com
target_server = global_functions.TEST_SERVER_HOST
pre_down_speed_kbit = global_functions.get_download_speed(
download_server=target_server)
# calculate QoS limits
wan_limit_kbit = int((pre_down_speed_kbit * 8) * .9)
# set max to 100Mbit, so that other limiting factors dont interfere
if wan_limit_kbit > 100000: wan_limit_kbit = 100000
wan_limit_mbit = round(wan_limit_kbit / 1024, 2)
# turn on QoS and set wan speed limits
netsettings = copy.deepcopy(orig_network_settings)
netsettings['qosSettings']['qosEnabled'] = True
i = 0
for interface in netsettings['interfaces']['list']:
if interface['isWan']:
netsettings['interfaces']['list'][i][
'downloadBandwidthKbps'] = wan_limit_kbit
netsettings['interfaces']['list'][i][
'uploadBandwidthKbps'] = wan_limit_kbit
i += 1
netsettings['bypassRules']['list'] = []
netsettings['qosSettings']['qosRules']['list'] = []
# These store the "new" defaults with and without QoS
orig_network_settings_with_qos = copy.deepcopy(netsettings)
orig_network_settings_with_qos['qosSettings']['qosEnabled'] = True
orig_network_settings_without_qos = copy.deepcopy(netsettings)
orig_network_settings_without_qos['qosSettings']['qosEnabled'] = False
uvmContext.networkManager().setNetworkSettings(
orig_network_settings_with_qos)
def final_extra_tear_down(cls):
global app_wan_failover
# Restore original settings to return to initial settings
if app_wan_failover != None:
uvmContext.appManager().destroy( app_wan_failover.getAppSettings()["id"] )
app_wan_failover = None
if orig_netsettings != None:
uvmContext.networkManager().setNetworkSettings(orig_netsettings)
def final_extra_tear_down(cls):
global orig_network_settings
# Restore original settings to return to initial settings
if orig_network_settings != None:
uvmContext.networkManager().setNetworkSettings(
orig_network_settings)
if cls._app_web_filter != None:
uvmContext.appManager().destroy(
cls._app_web_filter.getAppSettings()["id"])
cls._app_web_filter = None
def final_tear_down(self):
global app, app_web_filter, orig_network_settings
# Restore original settings to return to initial settings
if orig_network_settings != None:
uvmContext.networkManager().setNetworkSettings( orig_network_settings )
if app != None:
uvmContext.appManager().destroy( app.getAppSettings()["id"] )
app = None
if app_web_filter != None:
uvmContext.appManager().destroy( app_web_filter.getAppSettings()["id"] )
app_web_filter = None
def initial_setup(self):
global app, app_web_filter, orig_network_settings, orig_network_settings_with_qos, orig_network_settings_without_qos, pre_down_speed_kbit, wan_limit_kbit, wan_limit_mbit
if (uvmContext.appManager().isInstantiated(self.module_name())):
raise Exception('app %s already instantiated' % self.module_name())
app = uvmContext.appManager().instantiate(self.module_name(),
default_policy_id)
settings = app.getSettings()
settings["configured"] = True
app.setSettings(settings)
app.start()
if (uvmContext.appManager().isInstantiated(self.appNameWF())):
raise Exception('app %s already instantiated' % self.appNameWF())
app_web_filter = uvmContext.appManager().instantiate(
self.appNameWF(), default_policy_id)
if orig_network_settings == None:
orig_network_settings = uvmContext.networkManager(
).getNetworkSettings()
# disable QoS
netsettings = copy.deepcopy(orig_network_settings)
netsettings['qosSettings']['qosEnabled'] = False
uvmContext.networkManager().setNetworkSettings(netsettings)
# measure speed
pre_down_speed_kbit = global_functions.get_download_speed(
download_server="test.untangle.com")
# calculate QoS limits
wan_limit_kbit = int((pre_down_speed_kbit * 8) * .9)
# set max to 100Mbit, so that other limiting factors dont interfere
if wan_limit_kbit > 100000: wan_limit_kbit = 100000
wan_limit_mbit = round(wan_limit_kbit / 1024, 2)
# turn on QoS and set wan speed limits
netsettings = copy.deepcopy(orig_network_settings)
netsettings['qosSettings']['qosEnabled'] = True
i = 0
for interface in netsettings['interfaces']['list']:
if interface['isWan']:
netsettings['interfaces']['list'][i][
'downloadBandwidthKbps'] = wan_limit_kbit
netsettings['interfaces']['list'][i][
'uploadBandwidthKbps'] = wan_limit_kbit
i += 1
netsettings['bypassRules']['list'] = []
netsettings['qosSettings']['qosRules']['list'] = []
# These store the "new" defaults with and without QoS
orig_network_settings_with_qos = copy.deepcopy(netsettings)
orig_network_settings_with_qos['qosSettings']['qosEnabled'] = True
orig_network_settings_without_qos = copy.deepcopy(netsettings)
orig_network_settings_without_qos['qosSettings']['qosEnabled'] = False
uvmContext.networkManager().setNetworkSettings(
orig_network_settings_with_qos)
def test_100_wanBalancerRouteWanDown(self):
# create a source route and then down the wan which the route is set to
# if there are more than one WAN
if runtests.quick_tests_only:
raise unittest.SkipTest('Skipping a time consuming test')
if (len(index_of_wans) < 2):
raise unittest.SkipTest(
"Need at least two WANS for combination of wan-balancer and wan failover tests"
)
if same_wan_network(index_of_wans):
raise unittest.SkipTest("WANS on same network")
netsettings = uvmContext.networkManager().getNetworkSettings()
for wanIndexTup in index_of_wans:
wanIndex = wanIndexTup[0]
nuke_wan_balancer_rules()
# Get the external IP of the interface selected.
routedIP = wanIndexTup[2]
# WAN index for route rules is from networking list. Balance is zero
build_single_wan_route_rule("DST_ADDR", ip_address_testdestination,
wanIndex)
# Test that only the routed interface is used 5 times2
subprocess.check_output("ip route flush cache", shell=True)
for x in range(0, 5):
result = remote_control.run_command(
"wget --timeout=4 -q -O - \"$@\" test.untangle.com/cgi-bin/myipaddress.py",
stdout=True)
print("WAN Balancer Routed IP %s and retrieved IP %s" %
(routedIP, result))
assert (result == routedIP)
# now down the selected wan and see if traffic flows out the other wan
build_wan_test_rule(wanIndex, "ping", "192.168.244.1")
# Wait for targeted the WAN to be off line before testing that the WAN is off line.
timeout = 50000
online = True
offlineWanIndex = wanIndex
while online and timeout > 0:
timeout -= 1
wanStatus = app_wan_failover.getWanStatus()
for statusInterface in wanStatus['list']:
if statusInterface['interfaceId'] == offlineWanIndex:
online = statusInterface['online']
time.sleep(10) # Let WAN balancer see that the interface is down
subprocess.check_output("ip route flush cache", shell=True)
for x in range(0, 5):
result = global_functions.get_public_ip_address()
print(
"WAN Down WAN Balancer Routed IP %s and retrieved IP %s" %
(routedIP, result))
assert (result != routedIP)
nuke_wan_balancer_rules()
nuke_wan_failover_rules()
uvmContext.networkManager().setNetworkSettings(orig_netsettings)
def final_tear_down(cls, unused=None):
uvmContext.networkManager().setNetworkSettings(cls._orig_netsettings)
if cls._app:
cls.final_extra_tear_down()
if not cls.do_not_remove_app:
name = cls.module_name()
if cls._app or uvmContext.appManager().isInstantiated(name):
uvmContext.appManager().destroy(cls.get_app_id())
cls._app = None
def final_tear_down(self):
global app, appAD
# Restore original settings to return to initial settings
# print("orig_netsettings <%s>" % orig_netsettings)
uvmContext.networkManager().setNetworkSettings(orig_netsettings)
if app != None:
uvmContext.appManager().destroy( app.getAppSettings()["id"] )
app = None
if appAD != None:
uvmContext.appManager().destroy( appAD.getAppSettings()["id"] )
appAD = None
def test_031_netSettingsAndDefaultWGNetworks(self):
"""Test if changing the Network Settings LAN address properly updates the wireguard local networks"""
#if the configuration is Bridged, Local Networks are not imported into WireGuard's settings, so this test would fail. Skip it.
if global_functions.is_bridged(wanIP):
raise unittest.SkipTest(
"skipping on Bridged configuration, no Local Networks")
# Address we want to test with
testingAddressNet = "192.168.90"
testingAddress = testingAddressNet + ".1"
testingDhcpStart = testingAddressNet + ".100"
testingDhcpEnd = testingAddressNet + ".200"
# Pull out the current WG settings and the current Network Settings
wgSettings = self._app.getSettings()
origNetSettings = uvmContext.networkManager().getNetworkSettings()
# deepcopy WG network settings for manipulation
newNetSettings = copy.deepcopy(origNetSettings)
# Verify the WG settings don't already have this address stored
assert (testingAddressNet
not in wgSettings['networks']['list'][0]['address'])
# Find a DHCP LAN device and set it's address to the testing address
for intf in newNetSettings['interfaces']['list']:
if not intf['isWan']:
intf['v4StaticAddress'] = testingAddress
if intf['dhcpEnabled']:
intf['dhcpRangeStart'] = testingDhcpStart
intf['dhcpRangeEnd'] = testingDhcpEnd
break
# Set the settings to new config
uvmContext.networkManager().setNetworkSettings(newNetSettings)
# Query the WG settings to assert if that address made it in
newWGSettings = self._app.getSettings()
# Test that new WG LAN matches network LAN
assert (testingAddressNet
in newWGSettings['networks']['list'][0]['address'])
# Set network settings back to normal
uvmContext.networkManager().setNetworkSettings(origNetSettings)
# Get the WG settings again to verify
wgSettings = self._app.getSettings()
# Assert that old settings were set back properly proper now
assert (testingAddressNet
not in wgSettings['networks']['list'][0]['address'])
def final_tear_down(self):
global orig_netsettings
# Restore original settings to return to initial settings
# print("orig_netsettings <%s>" % orig_netsettings)
uvmContext.networkManager().setNetworkSettings(orig_netsettings)
settings = app.getSettings()
settings['shieldEnabled'] = default_enabled
app.setSettings(settings)
# sleep so the reputation goes down so it will not interfere with any future tests
time.sleep(3)
def test_021_severely_limited_udp(self):
global wan_limit_mbit
# severely limited means 10% of wan download bandwidth
expectedSpeedMbit = wan_limit_mbit * .1
# a udp iperf test will fail if it loses more than 40% of sent
# packets, so make sure expectedSpeedMbit is a little less than
# 60% of targetSpeedMbit
targetSpeedMbit = str(expectedSpeedMbit * 1.6) + "M"
if runtests.quick_tests_only:
raise unittest.SkipTest('Skipping a time consuming test')
# We will use iperf server and iperf for this test.
wan_IP = uvmContext.networkManager().getFirstWanAddress()
iperfAvailable = global_functions.verify_iperf_configuration(wan_IP)
if (not iperfAvailable):
raise unittest.SkipTest(
"Iperf server and/or iperf not available, skipping alternate port forwarding test"
)
# Enabled QoS
netsettings = uvmContext.networkManager().getNetworkSettings()
nuke_rules(self._app)
append_rule(
self._app,
create_single_condition_rule("DST_PORT", "5000", "SET_PRIORITY",
1))
pre_UDP_speed = global_functions.get_udp_download_speed(
receiverip=global_functions.iperf_server,
senderip=remote_control.client_ip,
targetRate=targetSpeedMbit)
# Create DST_PORT based rule to limit bandwidth
nuke_rules(self._app)
append_rule(
self._app,
create_single_condition_rule("DST_PORT", "5000", "SET_PRIORITY",
7))
post_UDP_speed = global_functions.get_udp_download_speed(
receiverip=global_functions.iperf_server,
senderip=remote_control.client_ip,
targetRate=targetSpeedMbit)
print_results(pre_UDP_speed, post_UDP_speed,
(wan_limit_kbit / 8) * 0.1, pre_UDP_speed * .9)
assert (pre_UDP_speed != 0)
assert (post_UDP_speed != 0)
assert (post_UDP_speed < pre_UDP_speed * .9)
def test_014_qos_bypass_custom_rules_udp(self):
global wan_limit_mbit
targetSpeedMbit = str(wan_limit_mbit)+"M"
if runtests.quick_tests_only:
raise unittest.SkipTest('Skipping a time consuming test')
# We will use iperf server and iperf for this test.
wan_IP = uvmContext.networkManager().getFirstWanAddress()
iperfAvailable = global_functions.verify_iperf_configuration(wan_IP)
if (not iperfAvailable):
raise unittest.SkipTest("Iperf server and/or iperf not available")
netsettings = uvmContext.networkManager().getNetworkSettings()
netsettings['bypassRules']['list'].append( create_bypass_condition_rule("DST_PORT","5000") )
netsettings['qosSettings']['qosRules']["list"].append( create_qos_custom_rule("DST_PORT","5000", 1) )
uvmContext.networkManager().setNetworkSettings( netsettings )
pre_UDP_speed = global_functions.get_udp_download_speed( receiverip=global_functions.iperf_server, senderip=remote_control.client_ip, targetRate=targetSpeedMbit )
netsettings['qosSettings']['qosRules']['list'] = []
netsettings['qosSettings']['qosRules']["list"].append( create_qos_custom_rule("DST_PORT","5000", 7) )
uvmContext.networkManager().setNetworkSettings( netsettings )
post_UDP_speed = global_functions.get_udp_download_speed( receiverip=global_functions.iperf_server, senderip=remote_control.client_ip, targetRate=targetSpeedMbit )
# Restore original network settings
uvmContext.networkManager().setNetworkSettings( orig_network_settings_with_qos )
print_results( pre_UDP_speed, post_UDP_speed, (wan_limit_kbit/8)*0.1, pre_UDP_speed*.9 )
assert (post_UDP_speed < pre_UDP_speed*.9)
def test_030_restartNetworkVerifyIpsecTunnel(self):
# save a setting in networking and test ipsec tunnel is set connected.
global tunnelUp
if (not tunnelUp):
raise unittest.SkipTest("Test test_020_createIpsecTunnel success required ")
netsettings = uvmContext.networkManager().getNetworkSettings()
uvmContext.networkManager().setNetworkSettings(netsettings)
time.sleep(10) # wait for networking to restart
ipsecHostLANResult = remote_control.run_command("wget -q -O /dev/null --no-check-certificate -4 -t 2 --timeout=5 https://%s/" % ipsecHostLANIP)
ipsecPcLanResult = remote_control.run_command("ping -c 1 %s" % ipsecPcLANIP)
# delete tunnel
nukeIPSecTunnels()
tunnelUp = False
assert (ipsecHostLANResult == 0)
assert (ipsecPcLanResult == 0)
def test_052_functional_icmp_log(self):
"""
Check for ICMP (ping)
"""
global app, appSettings
if runtests.quick_tests_only:
raise unittest.SkipTest('Skipping a time consuming test')
wan_ip = uvmContext.networkManager().getFirstWanAddress()
iperf_avail = global_functions.verify_iperf_configuration(wan_ip)
device_in_office = global_functions.is_in_office_network(wan_ip)
# Also test that it can probably reach us (we're on a 10.x network)
if not device_in_office:
raise unittest.SkipTest("Not on office network, skipping")
if (not iperf_avail):
raise unittest.SkipTest("IperfServer test client unreachable, skipping alternate port forwarding test")
# insert rule at the beginning of the list so other rules do not interfere.
appSettings['rules']['list'].insert(0,create_rule(action="log", rule_type="CATEGORY", type_value="scan"))
app.setSettings(appSettings, True)
wait_for_daemon_ready()
startTime = datetime.datetime.now()
remote_control.run_command("nmap -sP " + wan_ip + " >/dev/null 2>&1",host=global_functions.iperf_server)
app.forceUpdateStats()
events = global_functions.get_events('Intrusion Prevention','All Events',None,5)
found = global_functions.check_events( events.get('list'), 5,
'protocol', "1",
'blocked', False,
min_date=startTime)
del appSettings['rules']['list'][0] # delete the first rule just added
app.setSettings(appSettings, True)
assert(found)
def test_060_createIpsecTunnelHostname(self):
if (ipsecHostResult != 0):
raise unittest.SkipTest("No paried IPSec server available")
pre_events_enabled = global_functions.get_app_metric_value(app,"enabled")
wan_IP = uvmContext.networkManager().getFirstWanAddress()
pairMatchNotFound = True
listOfPairs = ""
addDNSRule(createDNSRule(ipsecHost,ipsecHostname))
# verify L2TP is off NGFW-7212
ipsecSettings = app.getSettings()
ipsecSettings["vpnflag"] = False
app.setSettings(ipsecSettings)
for hostConfig in configuredHostIPs:
print(hostConfig[0])
listOfPairs += str(hostConfig[0]) + ", "
if (wan_IP in hostConfig[0]):
appendTunnel(addIPSecTunnel(ipsecHostname,ipsecHostLAN,hostConfig[0],hostConfig[1],hostConfig[2]))
pairMatchNotFound = False
if (pairMatchNotFound):
raise unittest.SkipTest("IPsec test only configed for IPs %s" % (listOfPairs))
timeout = 10
ipsecHostLANResult = 1
while (ipsecHostLANResult != 0 and timeout > 0):
timeout -= 1
time.sleep(1)
# ping the remote LAN to see if the IPsec tunnel is connected.
ipsecHostLANResult = remote_control.run_command("wget -q -O /dev/null --no-check-certificate -4 -t 2 --timeout=5 https://%s/" % ipsecHostLANIP)
post_events_enabled = global_functions.get_app_metric_value(app,"enabled")
nukeIPSecTunnels()
assert (ipsecHostLANResult == 0)
# Check to see if the faceplate counters have incremented.
assert(pre_events_enabled < post_events_enabled)
def test_050_windowsL2TPRadiusDirectory(self):
global appAD
wan_IP = uvmContext.networkManager().getFirstWanAddress()
if (radiusResult != 0):
raise unittest.SkipTest("No RADIUS server available")
if (l2tpClientHostResult != 0):
raise unittest.SkipTest("l2tpClientHostResult not available")
if (not wan_IP in l2tpServerHosts):
raise unittest.SkipTest("No paried L2TP client available")
# Configure RADIUS settings
appAD.setSettings(createRadiusSettings())
createL2TPconfig("RADIUS_SERVER")
timeout = 480
found = False
vpnServerResult = remote_control.run_command("rasdial.exe %s %s %s" % (wan_IP,global_functions.RADIUS_USER,global_functions.RADIUS_PASSWORD), host=l2tpClientHost)
while not found and timeout > 0:
timeout -= 1
time.sleep(1)
virtUsers = app.getVirtualUsers()
for user in virtUsers['list']:
if user['clientUsername'] == global_functions.RADIUS_USER:
found = True
# Send command for Windows VPN disconnect.
vpnServerResult = remote_control.run_command("rasdial.exe %s /d" % (wan_IP), host=l2tpClientHost)
assert(found)
def test_020_createIpsecTunnel(self):
global tunnelUp
if (ipsecHostResult != 0):
raise unittest.SkipTest("No paried IPSec server available")
pre_events_enabled = global_functions.get_app_metric_value(app,"enabled")
wan_IP = uvmContext.networkManager().getFirstWanAddress()
pairMatchNotFound = True
listOfPairs = ""
for hostConfig in configuredHostIPs:
print(hostConfig[0])
listOfPairs += str(hostConfig[0]) + ", "
if (wan_IP in hostConfig[0]):
appendTunnel(addIPSecTunnel(ipsecHost,ipsecHostLAN,hostConfig[0],hostConfig[1],hostConfig[2]))
pairMatchNotFound = False
if (pairMatchNotFound):
raise unittest.SkipTest("IPsec test only configed for IPs %s" % (listOfPairs))
timeout = 10
ipsecHostLANResult = 1
while (ipsecHostLANResult != 0 and timeout > 0):
timeout -= 1
time.sleep(1)
# ping the remote LAN to see if the IPsec tunnel is connected.
ipsecHostLANResult = remote_control.run_command("wget -q -O /dev/null --no-check-certificate -4 -t 2 --timeout=5 https://%s/" % ipsecHostLANIP)
assert (ipsecHostLANResult == 0)
ipsecPcLanResult = remote_control.run_command("ping -c 1 %s" % ipsecPcLANIP)
assert (ipsecPcLanResult == 0)
tunnelUp = True
# Check to see if the faceplate counters have incremented.
post_events_enabled = global_functions.get_app_metric_value(app,"enabled")
assert(pre_events_enabled < post_events_enabled)
def initial_setup(self):
global app, orig_settings, test_email_address, can_relay, can_syslog, syslog_server_host, web_app
if (uvmContext.appManager().isInstantiated(self.module_name())):
# report app is normally installed.
# print("App %s already installed" % self.module_name())
# raise Exception('app %s already instantiated' % self.module_name())
app = uvmContext.appManager().app(self.module_name())
else:
app = uvmContext.appManager().instantiate(self.module_name(), default_policy_id)
reportSettings = app.getSettings()
orig_settings = copy.deepcopy(reportSettings)
if (uvmContext.appManager().isInstantiated(self.webAppName())):
raise Exception('app %s already instantiated' % self.webAppName())
web_app = uvmContext.appManager().instantiate(self.webAppName(), default_policy_id)
# Skip checking relaying is possible if we have determined it as true on previous test.
try:
can_relay = global_functions.send_test_email()
except Exception as e:
can_relay = False
if can_syslog == None:
can_syslog = False
wan_IP = uvmContext.networkManager().getFirstWanAddress()
syslog_server_host = global_functions.find_syslog_server(wan_IP)
if syslog_server_host:
portResult = remote_control.run_command("sudo lsof -i :514", host=syslog_server_host)
if portResult == 0:
can_syslog = True
def initial_setup(self):
global app, orig_netsettings, ipsecHostResult, l2tpClientHostResult, appAD, appDataRD, radiusResult
tunnelUp = False
if (uvmContext.appManager().isInstantiated(self.module_name())):
raise Exception('app %s already instantiated' % self.module_name())
app = uvmContext.appManager().instantiate(self.module_name(),
default_policy_id)
if (uvmContext.appManager().isInstantiated(self.appNameAD())):
raise unittest.SkipTest('app %s already instantiated' %
self.module_name())
if orig_netsettings == None:
orig_netsettings = uvmContext.networkManager().getNetworkSettings()
appAD = uvmContext.appManager().instantiate(self.appNameAD(),
default_policy_id)
appDataRD = appAD.getSettings().get('radiusSettings')
ipsecHostResult = subprocess.call(["ping", "-c", "1", ipsecHost],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
l2tpClientHostResult = subprocess.call(
["ping", "-c", "1", l2tpClientHost],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
radiusResult = subprocess.call(
["ping", "-c", "1", global_functions.RADIUS_SERVER],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
def test_080_nmap_log(self):
global app, appSettings
if runtests.quick_tests_only:
raise unittest.SkipTest('Skipping a time consuming test')
wan_ip = uvmContext.networkManager().getFirstWanAddress()
iperf_avail = global_functions.verify_iperf_configuration(wan_ip)
device_in_office = global_functions.is_in_office_network(wan_ip)
# Also test that it can probably reach us (we're on a 10.x network)
if not device_in_office:
raise unittest.SkipTest("Not on office network, skipping")
if (not iperf_avail):
raise unittest.SkipTest(
"IperfServer test client unreachable, skipping alternate port forwarding test"
)
startTime = datetime.datetime.now()
# start nmap on client
remote_control.run_command("nmap " + wan_ip + " >/dev/null 2>&1",
host=global_functions.iperf_server)
app.forceUpdateStats()
events = global_functions.get_events('Intrusion Prevention',
'All Events', None, 5)
found = global_functions.check_events(events.get('list'),
5,
'msg',
"NMAP",
'blocked',
False,
min_date=startTime)
def test_052_functional_icmp_log(self):
"""
Check for ICMP (ping)
"""
global app, appSettings
if runtests.quick_tests_only:
raise unittest.SkipTest('Skipping a time consuming test')
wan_ip = uvmContext.networkManager().getFirstWanAddress()
iperf_avail = global_functions.verify_iperf_configuration(wan_ip)
device_in_office = global_functions.is_in_office_network(wan_ip)
# Also test that it can probably reach us (we're on a 10.x network)
if not device_in_office:
raise unittest.SkipTest("Not on office network, skipping")
if (not iperf_avail):
raise unittest.SkipTest("IperfServer test client unreachable, skipping alternate port forwarding test")
# insert rule at the beginning of the list so other rules do not interfere.
appSettings['rules']['list'].insert(0,create_rule(action="log", rule_type="CATEGORY", type_value="scan"))
app.setSettings(appSettings, True)
wait_for_daemon_ready()
startTime = datetime.datetime.now()
remote_control.run_command("nmap -sP " + wan_ip + " >/dev/null 2>&1",host=global_functions.iperf_server)
app.forceUpdateStats()
events = global_functions.get_events('Intrusion Prevention','All Events',None,5)
found = global_functions.check_events( events.get('list'), 5,
'protocol', "1",
'blocked', False,
min_date=startTime)
del appSettings['rules']['list'][0] # delete the first rule just added
app.setSettings(appSettings, True)
assert(found)
def initial_setup(cls, unused=None):
cls._orig_netsettings = uvmContext.networkManager().getNetworkSettings(
)
if not cls.not_an_app:
name = cls.module_name()
print("initial_setup for app %s" % name)
if cls._app or uvmContext.appManager().isInstantiated(name):
if cls.skip_instantiated() and name not in [
"reports", "shield"
]:
pytest.skip('app %s already instantiated' %
cls.module_name())
else:
if cls.do_not_install_app: # grab
cls._app = uvmContext.appManager().app(name)
else: # delete and install
cls.final_tear_down()
cls._app = uvmContext.appManager().instantiate(
name, cls.default_policy_id)
else:
print("starting %s" % (name, ))
cls._app = uvmContext.appManager().instantiate(
name, cls.default_policy_id)
if cls.force_start:
cls._app.start()
if cls.wait_for_daemon_ready:
cls.do_wait_for_daemon_ready()
if not cls.no_settings:
cls._appSettings = cls._app.getSettings()
cls.initial_extra_setup()
def initial_extra_setup(cls):
global orig_settings, test_email_address, can_relay, can_syslog, syslog_server_host, web_app
reportSettings = cls._app.getSettings()
orig_settings = copy.deepcopy(reportSettings)
if (uvmContext.appManager().isInstantiated(cls.webAppName())):
raise Exception('app %s already instantiated' % cls.webAppName())
web_app = uvmContext.appManager().instantiate(cls.webAppName(),
default_policy_id)
# Skip checking relaying is possible if we have determined it as true on previous test.
try:
can_relay = global_functions.send_test_email()
except Exception as e:
can_relay = False
if can_syslog == None:
can_syslog = False
wan_IP = uvmContext.networkManager().getFirstWanAddress()
syslog_server_host = global_functions.find_syslog_server(wan_IP)
if syslog_server_host:
portResult = remote_control.run_command(
"sudo lsof -i :514", host=syslog_server_host)
if portResult == 0:
can_syslog = True
def test_050_windowsL2TPRadiusDirectory(self):
global appAD
wan_IP = uvmContext.networkManager().getFirstWanAddress()
if (radiusResult != 0):
raise unittest.SkipTest("No RADIUS server available")
if (l2tpClientHostResult != 0):
raise unittest.SkipTest("l2tpClientHostResult not available")
if (not wan_IP in l2tpServerHosts):
raise unittest.SkipTest("No paried L2TP client available")
# Configure RADIUS settings
appAD.setSettings(createRadiusSettings())
appData = self._app.getSettings()
appData = createL2TPconfig(appData, "RADIUS_SERVER")
self._app.setSettings(appData)
timeout = 480
found = False
vpnServerResult = remote_control.run_command(
"rasdial.exe %s %s %s" % (wan_IP, global_functions.RADIUS_USER,
global_functions.RADIUS_PASSWORD),
host=l2tpClientHost)
while not found and timeout > 0:
timeout -= 1
time.sleep(1)
virtUsers = self._app.getVirtualUsers()
for user in virtUsers['list']:
if user['clientUsername'] == global_functions.RADIUS_USER:
found = True
# Send command for Windows VPN disconnect.
vpnServerResult = remote_control.run_command("rasdial.exe %s /d" %
(wan_IP),
host=l2tpClientHost)
assert (found)
def test_060_createIpsecTunnelHostname(self):
if (ipsecHostResult != 0):
raise unittest.SkipTest("No paried IPSec server available")
pre_events_enabled = global_functions.get_app_metric_value(self._app,"enabled")
wan_IP = uvmContext.networkManager().getFirstWanAddress()
pairMatchNotFound = True
listOfPairs = ""
addDNSRule(createDNSRule(ipsecHost,ipsecHostname))
# verify L2TP is off NGFW-7212
ipsecSettings = self._app.getSettings()
ipsecSettings["vpnflag"] = False
self._app.setSettings(ipsecSettings)
for hostConfig in configuredHostIPs:
print(hostConfig[0])
listOfPairs += str(hostConfig[0]) + ", "
if (wan_IP in hostConfig[0]):
appData = self._app.getSettings()
appData["tunnels"]["list"].append(addIPSecTunnel(ipsecHostname,ipsecHostLAN,hostConfig[0],hostConfig[1],hostConfig[2]))
self._app.setSettings(appData)
pairMatchNotFound = False
if (pairMatchNotFound):
raise unittest.SkipTest("IPsec test only configed for IPs %s" % (listOfPairs))
timeout = 10
ipsecHostLANResult = 1
while (ipsecHostLANResult != 0 and timeout > 0):
timeout -= 1
time.sleep(1)
# ping the remote LAN to see if the IPsec tunnel is connected.
ipsecHostLANResult = remote_control.run_command("wget -q -O /dev/null --no-check-certificate -4 -t 2 --timeout=5 https://%s/" % ipsecHostLANIP)
post_events_enabled = global_functions.get_app_metric_value(self._app,"enabled")
nukeIPSecTunnels(self._app)
assert (ipsecHostLANResult == 0)
# Check to see if the faceplate counters have incremented.
assert(pre_events_enabled < post_events_enabled)
def initial_setup(self):
global app, app_web_filter, orig_network_settings, orig_network_settings_with_qos, orig_network_settings_without_qos, pre_down_speed_kbit, wan_limit_kbit, wan_limit_mbit
if (uvmContext.appManager().isInstantiated(self.module_name())):
raise Exception('app %s already instantiated' % self.module_name())
app = uvmContext.appManager().instantiate(self.module_name(), default_policy_id)
settings = app.getSettings()
settings["configured"] = True
app.setSettings(settings)
app.start()
if (uvmContext.appManager().isInstantiated(self.appNameWF())):
raise Exception('app %s already instantiated' % self.appNameWF())
app_web_filter = uvmContext.appManager().instantiate(self.appNameWF(), default_policy_id)
if orig_network_settings == None:
orig_network_settings = uvmContext.networkManager().getNetworkSettings()
# disable QoS
netsettings = copy.deepcopy( orig_network_settings )
netsettings['qosSettings']['qosEnabled'] = False
uvmContext.networkManager().setNetworkSettings( netsettings )
# measure speed
pre_down_speed_kbit = global_functions.get_download_speed(download_server="test.untangle.com")
# calculate QoS limits
wan_limit_kbit = int((pre_down_speed_kbit*8) * .9)
# set max to 100Mbit, so that other limiting factors dont interfere
if wan_limit_kbit > 100000: wan_limit_kbit = 100000
wan_limit_mbit = round(wan_limit_kbit/1024,2)
# turn on QoS and set wan speed limits
netsettings = copy.deepcopy( orig_network_settings )
netsettings['qosSettings']['qosEnabled'] = True
i = 0
for interface in netsettings['interfaces']['list']:
if interface['isWan']:
netsettings['interfaces']['list'][i]['downloadBandwidthKbps']=wan_limit_kbit
netsettings['interfaces']['list'][i]['uploadBandwidthKbps']=wan_limit_kbit
i += 1
netsettings['bypassRules']['list'] = []
netsettings['qosSettings']['qosRules']['list'] = []
# These store the "new" defaults with and without QoS
orig_network_settings_with_qos = copy.deepcopy( netsettings )
orig_network_settings_with_qos['qosSettings']['qosEnabled'] = True
orig_network_settings_without_qos = copy.deepcopy( netsettings )
orig_network_settings_without_qos['qosSettings']['qosEnabled'] = False
uvmContext.networkManager().setNetworkSettings(orig_network_settings_with_qos)
def initial_setup(self):
global app, default_enabled, orig_netsettings
if orig_netsettings == None:
orig_netsettings = uvmContext.networkManager().getNetworkSettings()
if (not uvmContext.appManager().isInstantiated(self.module_name())):
raise Exception('app %s already instantiated' % self.module_name())
app = uvmContext.appManager().app(self.module_name())
default_enabled = app.getSettings()['shieldEnabled']
def test_040_windowsL2TPlocalDirectory(self):
wan_IP = uvmContext.networkManager().getFirstWanAddress()
if (l2tpClientHostResult != 0):
raise unittest.SkipTest("l2tpClientHostResult not available")
if (not wan_IP in l2tpServerHosts):
raise unittest.SkipTest("No paried L2TP client available")
uvmContext.localDirectory().setUsers(createLocalDirectoryUser())
appData = self._app.getSettings()
appData = createL2TPconfig(appData, "LOCAL_DIRECTORY")
self._app.setSettings(appData)
timeout = 480
found = False
# Send command for Windows VPN connect.
vpnServerResult = remote_control.run_command(
"rasdial.exe %s %s %s" %
(wan_IP, l2tpLocalUser, l2tpLocalPassword),
host=l2tpClientHost)
if vpnServerResult == 0:
while not found and timeout > 0:
timeout -= 1
time.sleep(1)
virtUsers = self._app.getVirtualUsers()
for user in virtUsers['list']:
if user['clientUsername'] == l2tpLocalUser:
found = True
# Send command for Windows VPN disconnect.
vpnServerResult = remote_control.run_command("rasdial.exe %s /d" %
(wan_IP),
host=l2tpClientHost)
uvmContext.localDirectory().setUsers(removeLocalDirectoryUser())
assert (found)
# Use same user with different password
new_user_password = "******"
uvmContext.localDirectory().setUsers(
createLocalDirectoryUser(userpassword=new_user_password))
appData = createL2TPconfig(appData, "LOCAL_DIRECTORY")
self._app.setSettings(appData)
timeout = 480
found = False
# Send command for Windows VPN connect.
vpnServerResult = remote_control.run_command(
"rasdial.exe %s %s %s" %
(wan_IP, l2tpLocalUser, new_user_password),
host=l2tpClientHost)
if vpnServerResult == 0:
while not found and timeout > 0:
timeout -= 1
time.sleep(1)
virtUsers = self._app.getVirtualUsers()
for user in virtUsers['list']:
if user['clientUsername'] == l2tpLocalUser:
found = True
# Send command for Windows VPN disconnect.
vpnServerResult = remote_control.run_command("rasdial.exe %s /d" %
(wan_IP),
host=l2tpClientHost)
uvmContext.localDirectory().setUsers(removeLocalDirectoryUser())
assert (found)
def test_110_hosts_file_manager(self):
# get the hostname and settings from the network manager
fullName = uvmContext.networkManager().getFullyQualifiedHostname()
netsettings = uvmContext.networkManager().getNetworkSettings()
print(("Checking HostsFileManager records for " + fullName))
# perform a DNS lookup for our hostname against every non-WAN interface
# and make sure the value returned matches the address of the interface
for interface in netsettings['interfaces']['list']:
if interface['isWan'] == False and interface['configType'] == "Addressed":
if 'v4StaticAddress' in interface:
netaddr = interface['v4StaticAddress']
if netaddr:
print(("Checking hostname resolution for %s" % netaddr))
output = subprocess.check_output("dig +short @" + netaddr + " " + fullName, shell=True)
result = output.strip()
assert(result == netaddr)
def test_110_hosts_file_manager(self):
# get the hostname and settings from the network manager
fullName = uvmContext.networkManager().getFullyQualifiedHostname()
netsettings = uvmContext.networkManager().getNetworkSettings()
print(("Checking HostsFileManager records for " + fullName))
# perform a DNS lookup for our hostname against every non-WAN interface
# and make sure the value returned matches the address of the interface
for interface in netsettings['interfaces']['list']:
if interface['isWan'] == False and interface['configType'] == "Addressed":
if 'v4StaticAddress' in interface:
netaddr = interface['v4StaticAddress']
if netaddr:
print(("Checking hostname resolution for %s" % netaddr))
output = subprocess.check_output("dig +short @" + netaddr + " " + fullName, shell=True)
result = output.strip()
assert(result == netaddr)
def test_013_qos_bypass_custom_rules_tcp(self):
global app
nuke_rules()
priority_level = 7
# Record average speed without bandwidth control configured
wget_speed_pre = global_functions.get_download_speed()
# Create SRC_ADDR based custom Q0S rule to limit bypass QoS
netsettings = copy.deepcopy( orig_network_settings_with_qos )
netsettings['qosSettings']['qosRules']["list"].append( create_qos_custom_rule("SRC_ADDR",remote_control.client_ip,priority_level) )
netsettings['bypassRules']['list'].append( create_bypass_condition_rule("SRC_ADDR",remote_control.client_ip) )
uvmContext.networkManager().setNetworkSettings( netsettings )
# Download file and record the average speed in which the file was download
wget_speed_post = global_functions.get_download_speed()
# Restore original network settings
uvmContext.networkManager().setNetworkSettings( orig_network_settings_with_qos )
print_results( wget_speed_pre, wget_speed_post, wget_speed_pre*0.1, wget_speed_pre*limited_acceptance_ratio )
assert ((wget_speed_pre) and (wget_speed_post))
assert (wget_speed_pre * limited_acceptance_ratio > wget_speed_post)
def initial_setup(self):
global app, orig_netsettings, ipsecHostResult, l2tpClientHostResult, appAD, appDataRD, radiusResult
tunnelUp = False
if (uvmContext.appManager().isInstantiated(self.module_name())):
raise Exception('app %s already instantiated' % self.module_name())
app = uvmContext.appManager().instantiate(self.module_name(), default_policy_id)
if (uvmContext.appManager().isInstantiated(self.appNameAD())):
raise unittest.SkipTest('app %s already instantiated' % self.module_name())
if orig_netsettings == None:
orig_netsettings = uvmContext.networkManager().getNetworkSettings()
appAD = uvmContext.appManager().instantiate(self.appNameAD(), default_policy_id)
appDataRD = appAD.getSettings().get('radiusSettings')
ipsecHostResult = subprocess.call(["ping","-c","1",ipsecHost],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
l2tpClientHostResult = subprocess.call(["ping","-c","1",l2tpClientHost],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
radiusResult = subprocess.call(["ping","-c","1",global_functions.RADIUS_SERVER],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
def test_040_windowsL2TPlocalDirectory(self):
wan_IP = uvmContext.networkManager().getFirstWanAddress()
if (l2tpClientHostResult != 0):
raise unittest.SkipTest("l2tpClientHostResult not available")
if (not wan_IP in l2tpServerHosts):
raise unittest.SkipTest("No paried L2TP client available")
uvmContext.localDirectory().setUsers(createLocalDirectoryUser())
createL2TPconfig("LOCAL_DIRECTORY")
timeout = 480
found = False
# Send command for Windows VPN connect.
vpnServerResult = remote_control.run_command("rasdial.exe %s %s %s" % (wan_IP,l2tpLocalUser,l2tpLocalPassword), host=l2tpClientHost)
if vpnServerResult == 0:
while not found and timeout > 0:
timeout -= 1
time.sleep(1)
virtUsers = app.getVirtualUsers()
for user in virtUsers['list']:
if user['clientUsername'] == l2tpLocalUser:
found = True
# Send command for Windows VPN disconnect.
vpnServerResult = remote_control.run_command("rasdial.exe %s /d" % (wan_IP), host=l2tpClientHost)
uvmContext.localDirectory().setUsers(removeLocalDirectoryUser())
assert(found)
# Use same user with different password
new_user_password = "******"
uvmContext.localDirectory().setUsers(createLocalDirectoryUser(userpassword=new_user_password))
createL2TPconfig("LOCAL_DIRECTORY")
timeout = 480
found = False
# Send command for Windows VPN connect.
vpnServerResult = remote_control.run_command("rasdial.exe %s %s %s" % (wan_IP,l2tpLocalUser,new_user_password), host=l2tpClientHost)
if vpnServerResult == 0:
while not found and timeout > 0:
timeout -= 1
time.sleep(1)
virtUsers = app.getVirtualUsers()
for user in virtUsers['list']:
if user['clientUsername'] == l2tpLocalUser:
found = True
# Send command for Windows VPN disconnect.
vpnServerResult = remote_control.run_command("rasdial.exe %s /d" % (wan_IP), host=l2tpClientHost)
uvmContext.localDirectory().setUsers(removeLocalDirectoryUser())
assert(found)
def initial_setup(self):
global app, appWeb, appDC, tunnelApp, appData, vpnHostResult, vpnClientResult, vpnServerResult, vpnUserPassHostResult, adResult, radiusResult
if (uvmContext.appManager().isInstantiated(self.module_name())):
raise Exception('app %s already instantiated' % self.module_name())
app = uvmContext.appManager().instantiate(self.module_name(), default_policy_id)
app.start()
appWeb = None
appDC = None
tunnelApp = None
if (uvmContext.appManager().isInstantiated(self.appWebName())):
raise Exception('app %s already instantiated' % self.appWebName())
appWeb = uvmContext.appManager().instantiate(self.appWebName(), default_policy_id)
vpnHostResult = subprocess.call(["ping","-W","5","-c","1",global_functions.VPN_SERVER_IP],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
vpnUserPassHostResult = subprocess.call(["ping","-W","5","-c","1",global_functions.VPN_SERVER_USER_PASS_IP],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
vpnClientResult = subprocess.call(["ping","-W","5","-c","1",global_functions.VPN_CLIENT_IP],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
wanIP = uvmContext.networkManager().getFirstWanAddress()
if vpnClientResult == 0:
vpnServerResult = remote_control.run_command("ping -W 5 -c 1 " + wanIP, host=global_functions.VPN_CLIENT_IP)
else:
vpnServerResult = 1
adResult = subprocess.call(["ping","-c","1",global_functions.AD_SERVER],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
radiusResult = subprocess.call(["ping","-c","1",global_functions.RADIUS_SERVER],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
def test_080_nmap_log(self):
global app, appSettings
if runtests.quick_tests_only:
raise unittest.SkipTest('Skipping a time consuming test')
wan_ip = uvmContext.networkManager().getFirstWanAddress()
iperf_avail = global_functions.verify_iperf_configuration(wan_ip)
device_in_office = global_functions.is_in_office_network(wan_ip)
# Also test that it can probably reach us (we're on a 10.x network)
if not device_in_office:
raise unittest.SkipTest("Not on office network, skipping")
if (not iperf_avail):
raise unittest.SkipTest("IperfServer test client unreachable, skipping alternate port forwarding test")
startTime = datetime.datetime.now()
# start nmap on client
remote_control.run_command("nmap " + wan_ip + " >/dev/null 2>&1",host=global_functions.iperf_server)
app.forceUpdateStats()
events = global_functions.get_events('Intrusion Prevention','All Events',None,5)
found = global_functions.check_events( events.get('list'), 5,
'msg', "NMAP",
'blocked', False,
min_date=startTime)
def addDNSRule(newRule):
netsettings = uvmContext.networkManager().getNetworkSettings()
netsettings['dnsSettings']['staticEntries']['list'].insert(0,newRule)
uvmContext.networkManager().setNetworkSettings(netsettings)
