def run_check(self): tables = ['connections', 'fwx_cache'] for t in tables: out, err = func.execute_command("fw tab -t " + t + " | grep limit") out = out.read().strip('\n').split(',') if out[len(out) - 1].strip(' ') == "unlimited": self.add_result(self.title + " [" + t + "]", "PASS", "unlimited") else: t_limit = int(out[len(out) - 1].replace('limit ', '').strip(' ')) out, err = func.execute_command("fw tab -t " + t + " -s | grep " + t) out = out.read().strip('\n').split() t_peak = int(out[4]) t_val = int(out[3]) m = False if t_peak > (t_limit * 0.9): self.add_result( self.title + " [" + t + "]", "WARN", "peak: " + str(t_peak) + "/" + str(t_limit)) m = True if t_val > (t_limit * 0.9): self.add_result( self.title + " [" + t + "]", "FAIL", "current: " + str(t_val) + "/" + str(t_limit)) m = True if not m: self.add_result(self.title + " [" + t + "]", "PASS", str(t_val) + "/" + str(t_limit))
def check_blades(printRes=False): global results title = "Checking active Blades" logme.loader() out, err = func.execute_command("fw stat -b AMW") for line in out: logme.loader() if ":" in line: tmp = line.strip('\n').split(":") blade = tmp[0].strip(' ') status = tmp[1].strip(' ') else: blade = "" status = "" if ("enable" in status.lower() or "disable" in status.lower() ) and "fileapp_ctx_enabled" not in status.lower(): results.append( [title + " (" + blade + ")", status, "INFO", "Blades"]) if blade == "IPS" and "enable" in status.lower(): out, err = func.execute_command( 'cat $FWDIR/state/local/AMW/local.set | grep -A15 malware_profiles | grep ":name" | awk "{print $2}" | tr -d "()"' ) for l in out: results.append([ "Thread Prevention Policy", l.strip('\n').replace(':name ', ''), "INFO", "Blades" ]) if printRes: print_results()
def check_crash(printRes=False): global results title = "Checking crashes" logme.loader() out, err = func.execute_command("ls -l /var/log/crash") for line in out: logme.loader() tmp = line.strip('\n') if 'total 0' == tmp: results.append( [title + " [/var/log/crash]", "", "PASS", "Process"]) if 'admin' in tmp: f = tmp.split() f = f[len(f) - 1] results.append([title + " [/var/log/crash]", f, "FAIL", "Process"]) out, err = func.execute_command("ls -l /var/log/dump/usermode") for line in out: logme.loader() tmp = line.strip('\n') if 'total 0' == tmp: results.append( [title + " [/var/log/dump/usermode]", "", "PASS", "Process"]) if 'admin' in tmp: f = tmp.split() f = f[len(f) - 1] results.append( [title + " [/var/log/dump/usermode]", f, "FAIL", "Process"]) if printRes: print_results()
def print_vpn(): vpn_table_tab = "local_meta_sas" vpn_table = [] vpn_links = {} logme.loader() out, err = func.execute_command("fw tab -t " + vpn_table_tab + " -u | awk 'NR>3 { print $0 }' | grep -v '\->'") for line in out: logme.loader() tmp = line.strip("\n").strip("<").strip(">") tmp = tmp.split(",") if len(tmp) > 10: vpn_table.append(tmp) out, err = func.execute_command("fw tab -t resolved_link -u | awk 'NR>3 { print $0 }'") for line in out: logme.loader() tmp = line.strip("\n").strip("<").strip(">") remote_id = tmp.split(';')[0] data = tmp.split(',') if not remote_id in vpn_links and len(data) > 10: vpn_links[remote_id] = data[1].strip(' ') print(" %-8s %17s %17s %20s %20s" % ("ID", "Remote IP", "Resolved Link", "Local Subnet", "Remote Subnet")) print(" " + 86*"=") for e in vpn_table: tunnel_id = e[10].strip(' ') remote_ip = func.hex2ip(e[0]) if e[0] in vpn_links: remote_link = func.hex2ip(vpn_links[e[0]]) else: remote_link = "0.0.0.0" local_subnet = func.calc_subnet(func.hex2ip(e[1]), func.hex2ip(e[2])) remote_subnet = func.calc_subnet(func.hex2ip(e[3]), func.hex2ip(e[4])) print(" %-8s %17s %17s %20s %20s" % (tunnel_id, remote_ip, remote_link, local_subnet, remote_subnet))
def print_kernel(printRes = False, ktype = "fw", search = "", vorgabe = []): global results title = "Kernel/"+ktype if ktype == "fw": ktxt = "$FWDIR/boot/modules/fw_kern*.o" else: ktxt = "$PPKDIR/boot/modules/sim_kern*.o" if search == "": out, err = func.execute_command('modinfo -p ' + ktxt + ' | sort -u | grep int | cut -d ":" -f1 | xargs -n1 fw ctl get int') elif len(vorgabe) > 0: sStr = "" for entry in vorgabe: if sStr != "": sStr = sStr + "|" sStr = sStr + entry[0] out, err = func.execute_command('modinfo -p ' + ktxt + ' | sort -u | grep int | cut -d ":" -f1 | grep -E "(' + sStr + ')" | xargs -n1 fw ctl get int') else: out, err = func.execute_command('modinfo -p ' + ktxt + ' | sort -u | grep int | cut -d ":" -f1 | grep ' + search + ' | xargs -n1 fw ctl get int') for line in out: logme.loader() raw = line.strip('\n').split('=') if len(raw) < 2: continue field = raw[0].strip(' ') val = raw[1].strip(' ') state = "INFO" for entry in vorgabe: if entry[0] == field: if str(entry[1]) != str(val): state = "WARN" results.append([title + " (" + str(field) + ")", str(val), str(state), "Kernel"]) if printRes: print_results()
def check_securexl(printRes = False): global results title = "SecureXL" feature = False out, err = func.execute_command("fwaccel stat | grep -v Template") for line in out: state = "FAIL" data = line.strip('\n').split('|') if len(data) < 4 or data[1].replace(" ","") == "" or data[1].replace(" ","") == "Id": continue id = data[1].replace(" ", "") type = data[2].replace(" ", "") status = data[3].replace(" ", "") if status != "enabled": state = "WARN" else: state = "PASS" feature = True results.append([title + " (Instance: " + id + ", Name: " + type + ", Status: " + status + ")", "", state, "SecureXL"]) if feature: out, err = func.execute_command("fwaccel stat| grep Templates | sed s/\ \ */\/g| sed s/Templates//g") for line in out: state = "FAIL" data = line.strip('\n').split(":") if len(data) < 2: continue if "disabled" in data[1]: state = "WARN" if "enabled" in data[1]: state = "PASS" results.append([title + " (" + data[0] + " Templates)", data[1], state, "SecureXL"]) out, err = func.execute_command("fwaccel stats -s | sed 's/ */ /g' | sed 's/\t/ /g'") for line in out: state = "PASS" data = line.strip('\n').split(":") if len(data) < 2: continue field = data[0].strip(' ') valraw = data[1].strip(' ').split(" ") valnum = valraw[0] valper = int(str(valraw[1]).replace('(','').replace(')','').replace('%','')) if "Accelerated conns" in field and valper < 30: state = "WARN" if "Accelerated pkts" in field and valper < 50: state = "WARN" if "F2Fed" in field and valper > 40: state = "FAIL" results.append([title + " (" + field + ")", valnum + "(" + str(valper) + "%)", state, "SecureXL"]) if printRes: print_results()
def check_multiq(printRes = False): global results title = "Multi Queue" if func.fwVersion == "R80.40": out, err = func.execute_command("mq_mng --show -a") else: out, err = func.execute_command("cpmq get -a") multiq_enabled = "FAIL" multiq_possible = "FAIL" detail_pos = "" detail_en = "" out_str = out.read() err_str = err.read() if "NO MULTIQUEUE SUPPORTED" in out_str.upper() or "NO MULTIQUEUE SUPPORTED" in err_str.upper(): multiq_possible = "WARN" detail_pos = "No IGBx interfaces" multiq_enabled = "INFO" detail_en = "not possible" else: add_if = False iflist = "" iflist_on = "" for line in out_str.split('\n'): if "Active igb" in line or "Active ixgbe" in line: multiq_enabled = "WARN" multiq_possible = "INFO" add_if = True if "[On]" in line: multiq_enabled = "PASS" multiq_possible = "PASS" if iflist_on != "": iflist_on = iflist_on + ", " iflist_on = iflist_on + line.split(" ")[0] if line == "": add_if = False if add_if and not "ACTIVE" in line.upper(): if iflist != "": iflist = iflist + ", " iflist = iflist + line.split(" ")[0] detail_pos = iflist if iflist_on != "": detail_en = iflist_on else: detail_en = "none" results.append([title + " (Available Interfaces)", detail_pos, multiq_possible, "Firewall"]) results.append([title + " (Enabled Interfaces)", detail_en, multiq_enabled, "Firewall"]) if printRes: print_results()
def modify_access_rule(alname, ruid, mod): global modified api_checklogin() out, err = func.execute_command( "mgmt_cli -s " + sessionid + " set access-rule uid " + ruid + " layer '" + alname + "' " + mod + " --format json", True) modified = True
def run_check(self): stat = [["URL Filtering", "urlf", 0], ["AntiBot", "antimalware", 0], ["AntiVirus", "antimalware", 1], ["Application Control", "appi", 0]] i = 0 oldcmd = "" while i < len(stat): newcmd = "cpstat -f update_status " + stat[i][ 1] + " | grep 'Update status'" if oldcmd != newcmd: out, err = func.execute_command(newcmd) oldcmd = newcmd data = out.read().split('\n') val = stat[i][2] line = data[val].split(':')[1].strip(' ').strip('\n') state = "FAIL" detail = "" if line == "-" or line == "": state = "INFO" detail = "not active" if line == "up-to-date": state = "PASS" detail = "up-to-date" self.add_result(self.title + " (" + stat[i][0] + ")", state, detail) i = i + 1
def mgmt_api_fetcher(cmd, loopobj=""): results = [] logme.loader() last = 0 moreData = True pager = "" while moreData: logme.loader() if loopobj != "": pager = " limit 50 offset " + str(last) out, err = func.execute_command("mgmt_cli -r true " + cmd + pager + " --format json") logme.loader() data = json.load(out) if 'to' in data: if data['to'] >= data['total']: moreData = False else: last = data['to'] else: moreData = False if loopobj != "": for o in data[loopobj]: logme.loader() results.append(o) else: return data return results
def delete_access_rule(alname, ruid): global modified api_checklogin() out, err = func.execute_command( "mgmt_cli -s " + sessionid + " delete access-rule uid " + ruid + " layer " + alname, True) modified = True
def mgmt_check_malware_classification(printRes=False): global results title = "Check Malware Classification Config" out, err = func.execute_command( 'cat /opt/CPsuite-R80.30/fw1/conf/malware_config | grep -A 5 "resource_classification_mode"' ) for line in out: if "=" in line: tmp = line.strip('\n').strip(' ').split('=') state = "WARN" service = tmp[0] if tmp[1] == "bg": action = "background" else: action = tmp[1] if service == "dns" and action == "background": state = "PASS" if (service == "http" or service == "smb" or service == "smtp" or service == "ftp") and action == "policy": state = "PASS" results.append([ title + " [Service: " + service + "]", action, state, "Threat Prevention" ]) if printRes: print_results()
def check_clusterxl_release(printRes=False): global results title = "Checking ClusterXL Multiversion" state = "INFO" handle = False out, err = func.execute_command("cphaprob release") for line in out: tmp = line.strip('\n') if handle and tmp != "": a = tmp.split() if "Mismatch" in a[len(a) - 1]: detail = a[len(a) - 3] + " " + a[len(a) - 2] + " " + a[len(a) - 1] state = "WARN" else: detail = a[len(a) - 2] + " " + a[len(a) - 1] id = tmp.replace(detail, '').strip(' ') results.append( [title + " [ID: " + id + "]", detail, state, "ClusterXL"]) if "ID" in tmp: handle = True if printRes: print_results()
def fetch_all_objects(): global hosts global networks cmds = ['hosts', 'networks'] for c in cmds: if c == 'hosts' and len(hosts) > 0: break if c == 'networks' and len(networks) > 0: break last = 0 moreData = True while moreData: out, err = func.execute_command("mgmt_cli -r true show " + c + " limit 50 offset " + str(last) + " --format json") data = json.load(out) if data['to'] >= data['total']: moreData = False else: last = data['to'] for o in data['objects']: if c == "hosts": hosts.append(o) if c == "networks": networks.append(o) print(hosts) print(networks)
def check_log_system(printRes=False): global results logme.loader() FWDIR = func.get_path("FWDIR") CPDIR = func.get_path("CPDIR") title = "Checking logs" # # Format: [file, search, exclude] # logfiles = [["/var/log/messages*", "fail|error", "xpand|failover"], [CPDIR + "/log/cpd.elg", "fail|error", "PROVIDER-1|PA_status"]] if func.isFirewall(): logfiles.append( ["/var/log/routed.log", "fail|error", "xpand|failover"]) logfiles.append([FWDIR + "/log/fwd.elg", "failed", "discntd"]) if func.isManagement(): logfiles.append([FWDIR + "/log/fwm.elg", "failed", "none"]) for log in logfiles: logme.loader() out, err = func.execute_command('cat ' + log[0] + ' | grep -viE "(' + log[2] + ')" | grep -icE "(' + log[1] + ')"') out = out.read().strip('\n') state = "PASS" detail = "" if out != "0": state = "FAIL" detail = out + " messages" results.append( [title + " (" + log[0] + ")", detail, state, "Log Files"]) if printRes: print_results()
def check_clusterxl_pnote(printRes=False): global results title = "Checking ClusterXL PNotes" logme.loader() out, err = func.execute_command("cpstat ha -f all") t = False table = "" for line in out: if line.strip(" ").strip('\n') == "": t = False if t and "|" in line and not "Descr" in line and not "-----" in line: data = line.split('|') p_name = data[1].strip(' ') p_stat = data[2].strip(' ') if p_stat != "OK": state = "FAIL" detail = p_stat else: state = "PASS" detail = "" results.append( [title + " [" + p_name + "]", detail, state, "ClusterXL"]) if "Problem Notification table" in line: t = True if printRes: print_results()
def check_licensing(printRes=False): global results title = "Checking licensing" logme.loader() out, err = func.execute_command( "cpstat os -f licensing | grep '|' | awk 'NR>1 {print $0}'") for line in out: logme.loader() state = "FAIL" data = line.strip('\n').split('|') blade = data[2].strip(" ") status = data[3].strip(" ") expiration = data[4].strip(" ") active = data[6].strip(" ") quota = data[7].strip(" ") used = data[8].strip(" ") if status == "Not Entitled": state = "INFO" if status == "Expired" and active == "0": state = "WARN" if status == "Entitled": state = "PASS" results.append( [title + " (Blade: " + blade + ")", status, state, "Licensing"]) if printRes: print_results()
def check_multik_stat(printRes=False): global results title = "Checking CoreXL connections" logme.loader() stats = [] out, err = func.execute_command("fw ctl multik stat") for line in out: if not "ID" in line and not "-----" in line: data = line.split('|') id = data[0].strip(' ') active = data[1].strip(' ') cpu = int(data[2]) conns = int(data[3]) peak = int(data[4]) stats.append([active, cpu, conns, peak]) state = "PASS" detail = "" for a in stats: for b in stats: if int(a[2]) > (int(b[2]) * 1.5) or int(a[3]) > (int(b[3]) * 1.3): #print(str(a[2]) + " vs " + str(b[2])) state = "WARN" detail = "check CoreXL balancing" results.append([title, detail, state, "CoreXL"]) if printRes: print_results()
def check_blade_update(printRes=False): global results title = "Check blade update status" stat = [["URL Filtering", "urlf", 0], ["AntiBot", "antimalware", 0], ["AntiVirus", "antimalware", 1], ["Application Control", "appi", 0]] i = 0 oldcmd = "" while i < len(stat): logme.loader() newcmd = "cpstat -f update_status " + stat[i][ 1] + " | grep 'Update status'" if oldcmd != newcmd: out, err = func.execute_command(newcmd) oldcmd = newcmd data = out.read().split('\n') val = stat[i][2] line = data[val].split(':')[1].strip(' ').strip('\n') state = "FAIL" detail = "" if line == "-" or line == "": state = "INFO" detail = "not active" if line == "up-to-date": state = "PASS" detail = "up-to-date" results.append( [title + " (" + stat[i][0] + ")", detail, state, "Updates"]) i = i + 1 if printRes: print_results()
def run(self): if self.supported: self.debug(2, 'Class is supported, running check..') if self.commandOut == "": if self.isCommand: out, err = func.execute_command(self.command) self.commandOut = out.read().split('\n') self.commandErr = err.read().split('\n') else: self.commandOut = eval(self.command) if isinstance(self.commandOut, list): self.commandOut = list(filter(None, self.commandOut)) self.debug(4, '-----------------------------') self.debug(4, 'commandOut:') for o in self.commandOut: self.debug(5, str(o)) self.debug(4, '-----------------------------') if isinstance(self.commandErr, list): self.commandErr = list(filter(None, self.commandErr)) self.debug(5, 'commandErr:') for o in self.commandErr: self.debug(5, str(o)) self.debug(5, '-----------------------------') self.run_check() return self.results else: return self.supported
def mgmt_fetch_uid_firewall_properties(): logme.loader() out, err = func.execute_command( 'mgmt_cli show-generic-objects name "firewall_properties" -r true -f json' ) data = json.load(out) return data['objects'][0]['uid']
def check_clusterxl_state(printRes=False): global results title = "Checking ClusterXL state" logme.loader() #kernel.print_kernel(False, "fw", "fwha_cluster_instance_id") #kernel_clusterid = kernel.get_results(True) if func.isCluster(): # clusterid is set out, err = func.execute_command( "cphaprob state | head -n 7 | tail -n 2 | sed 's/(local)//g' | awk '{ print $5,$4 }'" ) for line in out: data = line.strip('\n').split(" ") node = data[0] stat = data[1] state = "PASS" detail = stat if stat != "ACTIVE" and stat != "STANDBY": state = "FAIL" detail = stat results.append( [title + " (" + node + ")", detail, state, "ClusterXL"]) else: results.append([title, "not cluster member!", "PASS", "ClusterXL"]) if printRes: print_results()
def api_logout(): global loggedin global modified if loggedin: if modified: api_publish() out, err = func.execute_command('mgmt_cli logout -s ' + sessionid) loggedin = False
def fwkern_get_ifaces(): global local_ips ipaddr = [] out, err = func.execute_command("ifconfig | grep 'inet addr'") for line in out: tmp = line.replace('inet addr:','').split() ipaddr.append(tmp[0]) local_ips = ipaddr
def check_memory(printRes=False): global results title = "Checking memory usage" mem_total = 0 mem_avg = 0 mem_peak = 0 dbcur = func.execute_sqlite_query( "select max(real_total) from UM_STAT_UM_MEMORY;") for row in dbcur: logme.loader() mem_total = row[0] dbcur = func.execute_sqlite_query( "select avg(real_used) from UM_STAT_UM_MEMORY;") for row in dbcur: logme.loader() mem_avg = row[0] dbcur = func.execute_sqlite_query( "select max(real_used) from UM_STAT_UM_MEMORY;") for row in dbcur: logme.loader() mem_peak = row[0] dbcur.close() mem_avg_used = int(str(mem_avg / mem_total * 100).split(".")[0]) mem_peak_used = int(str(mem_peak / mem_total * 100).split(".")[0]) state = "PASS" if mem_avg_used > 70: state = "WARN" if mem_avg_used > 90: state = "FAIL" results.append( [title + " (average)", str(mem_avg_used) + "%", state, "Memory"]) state = "PASS" if mem_peak_used > 80: state = "WARN" results.append( [title + " (peak)", str(mem_peak_used) + "%", state, "Memory"]) out, err = func.execute_command( "free -g | grep -i swap | awk '{print $3,$4}'") data = out.read().strip('\n').split(" ") used = data[0] avail = data[1] percent = str(int(used) / int(avail) * 100).split(".")[0] state = "WARN" if percent == "0": state = "PASS" results.append([title + " (swap)", percent + "%", state, "Memory"]) if printRes: print_results()
def fetch_all_access_layer(): global layers if len(layers) < 1: out, err = func.execute_command( 'mgmt_cli -r true show access-layers --format json') data = json.load(out) for p in data['access-layers']: if p['type'] == "access-layer": layers.append([p['uid'], p['name']])
def mgmt_check_ica_certs(kind='SIC', printRes=False): global results logme.loader() title = "Checking ICA/" + kind + " Certs" certs = {} process = True out, err = func.execute_command("cpca_client lscert -kind " + kind) for line in out: logme.loader() tmp = line.replace(" = ", "=") if "Subject" in tmp: tmp_subject = tmp.strip('\n').replace('Subject=', '') if "Kind" in tmp: tmp_line = tmp.strip('\n').split() tmp_status = tmp_line[0].replace('Status=', '') tmp_kind = tmp_line[1].replace('Kind=', '') tmp_serial = tmp_line[2].replace('Serial=', '') if "Revoked" in tmp: process = False else: process = True if tmp_subject in certs: if "Valid" in tmp_status: process = True else: process = False if "Not_Before" in tmp: tmp_dates = tmp.strip('\n').split('_') tmp_from = tmp_dates[1].replace('Before: ', '').replace('Not', '').strip(' ') tmp_to = tmp_dates[2].replace('After: ', '').strip(' ') if process: certs[tmp_subject] = { "status": tmp_status, "kind": tmp_kind, "serial": tmp_serial, "valid_from": tmp_from, "valid_to": tmp_to } date_w = datetime.datetime.now() date_w = date_w + datetime.timedelta(weeks=+12) date_f = datetime.datetime.now() date_f = date_f + datetime.timedelta(weeks=+4) for c in certs: detail = certs[c]['valid_to'] date_a = datetime.datetime.strptime(certs[c]['valid_to'], '%a %b %d %H:%M:%S %Y') state = "PASS" if date_w > date_a: state = "WARN" if date_f > date_a: state = "FAIL" results.append( [title + " [" + c[:21] + "]", detail, state, "Certificates"]) if printRes: print_results()
def mgmt_check_vpn_prop_s2s(table1, table2, fname): global results logme.loader() title = "VPN-" + fname + " Proposals" out, err = func.execute_command('mgmt_cli -r true ' + table1 + ' -f json') data = json.load(out) for p in data['objects']: logme.loader() out1, err1 = func.execute_command('mgmt_cli -r true ' + table2 + ' uid ' + p['uid'] + ' -f json') data1 = json.load(out1) logme.loader() (detail, state) = mgmt_check_vpn_prop_s2s_item(data1['ike-phase-1'], data1['ike-phase-2']) results.append([ title + " [" + data1['name'] + "]", detail, state, "VPN Communities" ]) logme.loader()
def check_table_overflow(printRes=False): global results title = "Check kernel table overflow" logme.loader() tables = ['connections', 'fwx_cache'] for t in tables: logme.loader() out, err = func.execute_command("fw tab -t " + t + " | grep limit") out = out.read().strip('\n').split(',') if out[len(out) - 1].strip(' ') == "unlimited": results.append( [title + " [" + t + "]", "unlimited", "PASS", "Firewall"]) else: logme.loader() t_limit = int(out[len(out) - 1].replace('limit ', '').strip(' ')) out, err = func.execute_command("fw tab -t " + t + " -s | grep " + t) out = out.read().strip('\n').split() t_peak = int(out[4]) t_val = int(out[3]) m = False if t_peak > (t_limit * 0.9): results.append([ title + " [" + t + "]", "peak: " + str(t_peak) + "/" + str(t_limit), "WARN", "Firewall" ]) m = True if t_val > (t_limit * 0.9): results.append([ title + " [" + t + "]", "current: " + str(t_val) + "/" + str(t_limit), "FAIL", "Firewall" ]) m = True if not m: results.append([ title + " [" + t + "]", str(t_val) + "/" + str(t_limit), "PASS", "Firewall" ]) if printRes: print_results()
def mgmt_fetch_firewall_properties(): global config logme.loader() if not 'firewall_properties' in config: uid = mgmt_fetch_uid_firewall_properties() logme.loader() out, err = func.execute_command('mgmt_cli show generic-object uid "' + uid + '" -r true -f json') data = json.load(out) config['firewall_properties'] = data return config