def testTCPService(self): result = TCPService.create('api-tcpservice', 5000, 5005, comment='blahcomment') self.assertTrue(result.href.startswith('http')) service = TCPService('api-tcpservice') self.assertEqual(service.min_dst_port, 5000) self.assertEqual(service.max_dst_port, 5005) service.delete()
def testTCPServiceGroup(self): tcp = TCPService.create('api-tcp', 5000) self.assertTrue(tcp.href.startswith('http')) tcp2 = TCPService.create('api-tcp2', 5001) self.assertTrue(tcp2.href.startswith('http')) result = TCPServiceGroup.create('api-tcpservicegroup', members=[tcp.href, tcp2.href]) self.assertTrue(result.href.startswith('http')) group = TCPServiceGroup('api-tcpservicegroup') self.assertIn(tcp.href, group.element) self.assertIn(tcp2.href, group.element) group.delete() tcp.delete() tcp2.delete()
def testServiceGroup(self): """ Test service group creation """ result = TCPService.create('api-tcp', 5000) self.assertTrue(result.href.startswith('http')) result = UDPService.create('api-udp', 5001) self.assertTrue(result.href.startswith('http')) tcp = TCPService('api-tcp') udp = UDPService('api-udp') result = ServiceGroup.create('api-servicegroup', members=[tcp.href, udp.href], comment='test') self.assertTrue(result.href.startswith('http')) group = ServiceGroup('api-servicegroup') # Href in service group self.assertIn(tcp.href, group.element) self.assertIn(udp.href, group.element) group.delete() tcp.delete() udp.delete()
session.login(url=SMC_URL, api_key=API_KEY, verify=False, timeout=120, api_version=API_VERSION) print("session OK") try: # check for all engines engine_list = list(Engine.objects.all()) # Create a match_expression me = MatchExpression.create(name='mymatch', service=ApplicationSituation('FTP'), service_ports=TCPService('Any TCP Service')) # Get Name for first match_expression name = MatchExpression.objects.iterator().first().name # Get by name print("Retrieve {} by name..".format(name)) match_expression = MatchExpression.get(name) print("match_expression={}".format(match_expression)) # Get by filter print("Retrieve {} by filter..".format(name)) it = MatchExpression.objects.iterator() query1 = it.filter(name) if query1.exists(): print("match_expression={}".format(list(query1.all())))
def add_policy(self): """ If a client AMI was specified when building a new VPC, this will add rules to allow inbound access to the AMI. This could be extended to more generically support VPN rules. """ if not self.firewall_policy: self.firewall_policy = 'AWS_Default' # Policy not specified, use the default, or check if hidden setting was specified try: FirewallPolicy.create(name='AWS_Default', template='Firewall Inspection Template') except CreatePolicyFailed: pass # Already exists policy = FirewallPolicy(self.firewall_policy) # Create the access rule for the network options = LogOptions() options.log_accounting_info_mode = True options.log_level = 'stored' options.application_logging = 'enforced' options.user_logging = 'enforced' action = Action() action.deep_inspection = True action.file_filtering = False outbound_rule = policy.search_rule('AWS outbound access rule') if not outbound_rule: # Generic outbound access rule policy.fw_ipv4_access_rules.create( name='AWS outbound access rule', sources=[Alias('$$ Interface ID 1.net')], destinations='any', services='any', action=action, log_options=options) if self.aws_ami_ip and self.nat_ports: dest_port = self.nat_ports.get('dest_port') redirect_port = self.nat_ports.get('redirect_port') services = list( TCPService.objects.filter(dest_port)) # @UndefinedVariable # Ignore services with protocol agents so we skip SSM service = next( ([service] for service in services if not service.protocol_agent), []) if not service: service = [ TCPService.create(name='aws_tcp{}'.format(dest_port), min_dst_port=dest_port) ] # Create the access rule for the client policy.fw_ipv4_access_rules.create( name=self.name, sources='any', destinations=[Alias('$$ Interface ID 0.ip')], services=service, action='allow', log_options=options) policy.fw_ipv4_nat_rules.create( name=self.name, sources='any', destinations=[Alias('$$ Interface ID 0.ip')], services=service, static_dst_nat=self.aws_ami_ip, static_dst_nat_ports=(dest_port, redirect_port), used_on=self.engine.href)
session.login(url=URLSMC, api_key=APIKEYSMC, verify=False, timeout=120) except BaseException as exception_retournee: sys.exit(-1) print("session OK") # Create a Sub Policy p = FirewallSubPolicy() p.create("mySubPolicy1") # add rule to a Sub Policy p = FirewallSubPolicy('mySubPolicy1') p.fw_ipv4_access_rules.create(name='newule', sources='any', destinations='any', services=[TCPService('SSH')], action='discard') print(list(FirewallSubPolicy.objects.all())) # Create a IPv6 Sub Policy p = FirewallIPv6SubPolicy() p.create("myIPv6SubPolicy1") # add rule to a IPv6 Sub Policy p = FirewallIPv6SubPolicy('myIPv6SubPolicy1') p.fw_ipv6_access_rules.create(name='newule', sources='any', destinations='any', services=[TCPService('SSH')], action='discard')
list_vpn = [] for vpn in vpns: print(vpn) list_vpn.append(vpn.href) sourceVpn = SourceVpn() sourceVpn.match_type = "normal" sourceVpn.match_vpns = list_vpn # add rule to a Policy p = FirewallPolicy("myPolicy1") p.fw_ipv4_access_rules.create( name="newule", sources="any", destinations="any", services=[TCPService("SSH")], action="discard", match_vpn_options=sourceVpn, ) # add rule without match_vpn_options to a Policy p.fw_ipv4_access_rules.create( name="newule", sources="any", destinations="any", services=[TCPService("SSH")], action="discard", ) # Display SourceVpn for rules for rule in p.fw_ipv4_access_rules.all():
def test_tcp_service_with_protocol_agent(self): result = TCPService('HTTP') self.assertIsInstance(result.protocol_agent, Protocol)
def test_get_or_create_element(self): # Will be created anew host = Host.get_or_create(filter_key={'address': '123.123.123.123'}, name='kookoo', address='123.123.123.123') self.assertEqual(host.name, 'kookoo') self.assertEqual(host.data.get('address'), '123.123.123.123') # Will be retrieved host = Host.get_or_create(filter_key={'address': '123.123.123.123'}, name='fooboo', address='123.123.123.123') self.assertEqual(host.name, 'kookoo') host.delete() # Test the two types using meta characters network = Network.get_or_create( filter_key={'ipv4_network': '172.18.33.0/24'}, name='mynetwork', ipv4_network='172.18.33.0/24') self.assertEqual(network.name, 'mynetwork') self.assertEqual(network.ipv4_network, '172.18.33.0/24') network = Network.get_or_create( filter_key={'ipv4_network': '172.18.33.0/24'}, name='mynetwork', ipv4_network='172.18.33.0/24') self.assertEqual(network.name, 'mynetwork') network.delete() # Address Range iprange = AddressRange.get_or_create( filter_key={'ip_range': '1.1.1.1-1.1.1.10'}, name='myrange', ip_range='1.1.1.1-1.1.1.10') self.assertEqual(iprange.name, 'myrange') self.assertEqual(iprange.data.get('ip_range'), '1.1.1.1-1.1.1.10') iprange = AddressRange.get_or_create( filter_key={'ip_range': '1.1.1.1-1.1.1.10'}, name='myrange', ip_range='1.1.1.1-1.1.1.10') self.assertEqual(iprange.name, 'myrange') iprange.delete() vpn = VPNPolicy.get_or_create(name='somepolicy') self.assertEqual(vpn.name, 'somepolicy') tcp = TCPService.get_or_create(filter_key={'min_dst_port': 8989}, name='myservice', min_dst_port=8989) self.assertIsInstance(tcp, TCPService) self.assertEqual(tcp.name, 'myservice') tcp = TCPService.get_or_create(filter_key={'min_dst_port': 8989}, name='newservice', min_dst_port=8989) self.assertEqual(tcp.name, 'newservice') host = Host.get_or_create(name='grace', address='12.12.12.12') self.assertEqual(host.name, 'grace') # Already exists host = Host.get_or_create(name='grace', address='12.12.12.12') self.assertEqual(host.name, 'grace')
Host.create(name=cnameNAT, address=NATIP, comment='Erstellt via Script') ################# #Network IPv6 Element erstellen ################# Network.create(name=cnameV6, ipv6_network=IPV6Network, comment='Erstellt via Script') ################# #IPv6 Sub Policy erstellen ################# p = FirewallIPv6SubPolicy.create(name=cnameV6) p.fw_ipv6_access_rules.create_rule_section(name='Outbound') p.fw_ipv6_access_rules.create(name='Default Outgoing', sources=[Network(cnameV6)], destinations='any', services=[TCPService('SSH'), TCPService('HTTP'), TCPService('HTTPS'), UDPService('NTP (UDP)'), ServiceGroup('DNS')], action='allow', after='Outbound') p.fw_ipv6_access_rules.create_rule_section(name='Inbound', add_pos=30) ################# #IPv4 Sub Policy erstellen ################# q = FirewallSubPolicy.create(name=cnameV4) q.fw_ipv4_access_rules.create_rule_section(name='Outbound') q.fw_ipv4_access_rules.create(name='Default Outgoing', sources=[Host(cnameNAT)], destinations='any', services=[TCPService('SSH'), TCPService('HTTP'), TCPService('HTTPS'), UDPService('NTP (UDP)'), ServiceGroup('DNS')], action='allow', after='Outbound') q.fw_ipv4_access_rules.create_rule_section(name='Inbound', add_pos=30) ################# #Jump Points einfügen #Zur vorsicht in die nicht genutzt Policy "Zweite Policy für Firewall XY" #################