def export_threat_rulebase(package, layer, layer_uid, client):
data_dict = {}
debug_log("Exporting Threat Layer [" + layer + "]", True)
layer_settings, _, rulebase_rules, general_objects = \
get_query_rulebase_data(client, "threat-rulebase", {"name": layer, "uid": layer_uid, "package": package})
if not layer_settings:
return None, None
exception_groups = []
object_dictionary, unexportable_objects, exportable_types = \
get_objects(general_objects, client.api_version)
debug_log("Processing rules and exceptions", True)
for rulebase_rule in rulebase_rules:
replace_rule_field_uids_by_name(rulebase_rule, general_objects)
if "exceptions" in rulebase_rule:
exceptions_data_dict, exceptions_unexportable_objects = \
export_threat_exception_rulebase(package, layer, layer_uid, rulebase_rule, exception_groups, client)
if not exceptions_data_dict:
continue
merge_data(data_dict, exceptions_data_dict)
merge_data(unexportable_objects, exceptions_unexportable_objects)
cleanse_object_dictionary(object_dictionary)
for api_type in exportable_types:
debug_log(
"Exporting " + singular_to_plural_dictionary[client.api_version][api_type] + " from layer [" + layer + "]",
True)
export_general_objects(data_dict, api_type, object_dictionary[api_type], unexportable_objects, client)
debug_log("Exporting threat rules from layer [" + layer + "]", True)
format_and_merge_data(data_dict, rulebase_rules)
debug_log("Exporting Exception-Groups used in layer [" + layer + "]", True)
format_and_merge_exception_groups(data_dict, exception_groups)
debug_log("Exporting placeholders for unexportable objects from layer [" + layer + "]", True)
format_and_merge_unexportable_objects(data_dict, unexportable_objects)
debug_log("Exporting layer settings of layer [" + layer + "]", True)
format_and_merge_data(data_dict, [layer_settings])
debug_log("Done exporting layer '" + layer + "'.\n", True)
clean_objects(data_dict)
return data_dict, unexportable_objects
def export_nat_rulebase(package, client):
data_dict = {}
rulebase_rules, general_objects = get_query_nat_rulebase_data(
client, {"package": package})
object_dictionary, unexportable_objects, exportable_types = get_objects(
general_objects, client.api_version)
debug_log("Processing rules and sections", True)
for rule in rulebase_rules:
replace_rule_field_uids_by_name(rule, general_objects)
cleanse_object_dictionary(object_dictionary)
for api_type in exportable_types:
debug_log(
"Exporting " +
singular_to_plural_dictionary[client.api_version][api_type], True)
export_general_objects(data_dict, api_type,
object_dictionary[api_type],
unexportable_objects, client)
debug_log("Exporting NAT rules", True)
format_and_merge_data(data_dict, rulebase_rules)
debug_log(
"Exporting placeholders for unexportable objects from NAT rulebase",
True)
format_and_merge_unexportable_objects(data_dict, unexportable_objects)
debug_log("Done exporting NAT rulebase.\n", True)
clean_objects(data_dict)
return data_dict, unexportable_objects
def export_threat_exception_rulebase(package, layer, threat_rule,
exception_groups, client):
data_dict = {}
debug_log(
"Exporting Exception-Rulebase from Threat-Rule #" +
str(threat_rule["position"]) + " in Threat-Layer[" + layer + "]", True)
layer_settings, rulebase_sections, rulebase_rules, general_objects = \
get_query_rulebase_data(client, "threat-rule-exception-rulebase",
{"name": layer, "package": package, "rule-uid": threat_rule["uid"]})
if not layer_settings:
return None, None
object_dictionary, unexportable_objects, exportable_types = \
get_objects(general_objects, client.api_version)
to_position = None
debug_log("Processing exceptions", True)
for rulebase_object in rulebase_sections + rulebase_rules:
if "exception" in rulebase_object["type"]:
replace_exception_data(rulebase_object,
general_objects,
layer=layer,
rule_number=threat_rule["position"])
elif "section" in rulebase_object["type"]:
position_in_group = 1
for rule in rulebase_object["rulebase"]:
replace_exception_data(rule,
general_objects,
group=rulebase_object["name"],
position_in_group=position_in_group)
position_in_group += 1
if rulebase_object["name"] == "Global Exceptions":
continue
show_group_reply = client.api_call(
"show-exception-group",
payload={"name": rulebase_object["name"]})
if rulebase_object["from"]:
group_position = rulebase_object["from"]
else:
group_position = to_position if to_position else "top"
to_position = rulebase_object["to"] if rulebase_object[
"to"] else to_position
if rulebase_object["name"] not in [
x["name"] for x in exception_groups
]:
show_group_reply.data["positions"] = []
if show_group_reply.data[
"apply-on"] == "manually-select-threat-rules":
show_group_reply.data["applied-threat-rules"] = []
exception_groups.append(show_group_reply.data)
group_index = next(index
for (index, d) in enumerate(exception_groups)
if d['name'] == show_group_reply.data['name'])
exception_groups[group_index]["positions"].append(group_position)
if exception_groups[group_index][
"apply-on"] == "manually-select-threat-rules":
exception_groups[group_index]["applied-threat-rules"].append({
"layer":
layer,
"rule-number":
str(threat_rule["position"])
})
cleanse_object_dictionary(object_dictionary)
for api_type in exportable_types:
debug_log(
"Exporting " +
singular_to_plural_dictionary[client.api_version][api_type] +
" from layer [" + layer + "]", True)
export_general_objects(data_dict, api_type,
object_dictionary[api_type],
unexportable_objects, client)
debug_log("Exporting threat exceptions from layer [" + layer + "]", True)
format_and_merge_data(data_dict, rulebase_rules)
debug_log(
"Exporting placeholders for unexportable objects from layer [" +
layer + "]", True)
format_and_merge_unexportable_objects(data_dict, unexportable_objects)
debug_log("Exporting layer settings of layer [" + layer + "]", True)
format_and_merge_data(data_dict, [layer_settings])
debug_log("Done exporting layer '" + layer + "'.\n", True)
clean_objects(data_dict)
return data_dict, unexportable_objects
def export_access_rulebase(package, layer, layer_uid, client, timestamp,
tar_file):
data_dict = {}
debug_log("Exporting Access Layer [" + layer + "]", True)
layer_settings, rulebase_sections, rulebase_rules, general_objects = \
get_query_rulebase_data(client, "access-rulebase", {"name": layer, "uid": layer_uid, "package": package})
if not layer_settings:
return None, None
object_dictionary, unexportable_objects, exportable_types = \
get_objects(general_objects, client.api_version)
to_position = None
debug_log("Processing rules and sections", True)
for rulebase_item in rulebase_sections + rulebase_rules:
if "rule" in rulebase_item["type"]:
replace_rule_field_uids_by_name(rulebase_item, general_objects)
elif "section" in rulebase_item["type"]:
if "from" in rulebase_item:
rulebase_item["position"] = rulebase_item["from"]
else:
rulebase_item[
"position"] = to_position if to_position else "top"
to_position = rulebase_item[
"to"] if "to" in rulebase_item else to_position
cleanse_object_dictionary(object_dictionary)
if "access-layer" in object_dictionary:
for access_layer in object_dictionary["access-layer"]:
debug_log("Exporting Inline-Layer [" + access_layer["name"] + "]",
True)
inner_data_dict, inner_unexportable_objects = \
export_access_rulebase(package, access_layer["name"], access_layer["uid"], client, timestamp, tar_file)
layer_tar_name = \
create_tar_file(access_layer, inner_data_dict,
timestamp, ["access-rule", "access-section"], client.api_version)
inner_data_dict.pop("access-rule", None)
inner_data_dict.pop("access-section", None)
merge_data(data_dict, inner_data_dict)
merge_data(unexportable_objects, inner_unexportable_objects)
tar_file.add(layer_tar_name)
os.remove(layer_tar_name)
for api_type in exportable_types:
debug_log(
"Exporting " +
singular_to_plural_dictionary[client.api_version][api_type] +
" from layer [" + layer + "]", True)
export_general_objects(data_dict, api_type,
object_dictionary[api_type],
unexportable_objects, client)
debug_log("Exporting access rules from layer [" + layer + "]", True)
format_and_merge_data(data_dict, rulebase_rules)
debug_log("Exporting access sections from layer [" + layer + "]", True)
for rulebase_section in rulebase_sections:
debug_log("rulebase_sections contains: " +
(rulebase_section["name"] if "name" in
rulebase_section else "no-name section"))
format_and_merge_data(data_dict, rulebase_sections)
debug_log(
"Exporting placeholders for unexportable objects from layer [" +
layer + "]", True)
format_and_merge_unexportable_objects(data_dict, unexportable_objects)
debug_log("Exporting layer settings of layer [" + layer + "]", True)
format_and_merge_data(data_dict, [layer_settings])
debug_log("Done exporting layer '" + layer + "'.\n", True)
clean_objects(data_dict)
return data_dict, unexportable_objects