def query_scanning_threat(self): ''' Get all scanning threat rate instances on the device. These are used to optimize the CLI so that no unnecessary CLIs are generated by audit function ''' if not self.get_top().get_device(): #skip if there is no device attribute return ScanningThreatDetection.rates = {} query_cmd = 'show run threat-detection | grep scanning-threat' res = self.query_asa(query_cmd) if not res or not len(res): return lines = res.split('\n') for cli in lines: if cli.startswith('threat-detection scanning-threat shun except ip-address'): values = util.normalize_param_dict(ShunExceptIP.parse_shun_except(cli)) ScanningThreatDetection.rates[ShunExceptIP.get_shun_str(values)] = '' elif cli.startswith('threat-detection scanning-threat shun except object-group'): values = util.normalize_param_dict(ShunExceptObject.parse_shun_except(cli)) ScanningThreatDetection.rates[ShunExceptObject.get_shun_str(values)] = '' elif cli.startswith('threat-detection scanning-threat shun duration'): values = util.normalize_param_dict(ShunDuration.parse_shun_duration(cli)) ScanningThreatDetection.rates[ShunDuration.get_duration_str(values)] = '' elif cli.startswith('threat-detection rate scanning-threat'): values = util.normalize_param_dict(ScanningThreatRate.parse_rates(cli)) ScanningThreatDetection.rates[ScanningThreatRate.get_rates_str(values)] = ''
def get_cli(self): """ Normalize the interface name before filling the template. """ assert self.has_ifc_delta_cfg() intf = util.normalize_param_dict(self.get_top().get_mgmt_interface()) if not intf: return value = util.normalize_param_dict(self.delta_ifc_cfg_value["value"]) command = " ".join((self.asa_gen_template % value).split()) mode_command = "interface " + intf return CLIInteraction(command=command, mode_command=mode_command, response_parser=failover_response_parser)
def get_cli(self): ''' Normalize the interface name before filling the template. ''' assert self.has_ifc_delta_cfg() intf = util.normalize_param_dict(self.get_top().get_mgmt_interface()) if not intf: return value = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) command = ' '.join((self.asa_gen_template % value).split()) mode_command = 'interface ' + intf return CLIInteraction(command=command, mode_command=mode_command, response_parser=failover_response_parser)
def get_cli(self): '''Generate the CLI for this 'rate' config. ''' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) return self.create_cli(config, self.get_action())
def diff_ifc_asa(self, cli): ''' Need to override this method because in composite type, the config value is initialized with empty value. The function has_ifc_delta_cfg() will not return false since the delta_ifc_cfg_value is not NONE. ''' config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) if not self.has_ifc_delta_cfg() or not config: if self.is_removable: #delete operation required self.delta_ifc_key = self.create_delta_ifc_key(cli) self.delta_ifc_cfg_value = {'state': State.DESTROY, 'value': self.parse_cli(cli)} "add it to its container's delta_ifc_cfg_value" ancestor = self.get_ifc_delta_cfg_ancestor() if ancestor: ancestor.delta_ifc_cfg_value['value'][self.delta_ifc_key] = self.delta_ifc_cfg_value return if isinstance(cli, str): assert cli.strip().startswith(self.get_asa_key()) elif isinstance(cli, StructuredCommand): assert cli.command.startswith(self.get_asa_key()) 'Use dictionary compare instead of CLI compare to take care of optional parameters' if self.is_the_same_cli(cli): self.set_action(State.NOCHANGE) else: self.set_action(State.MODIFY) if self.get_action() == State.DESTROY: return for cmd in cli.sub_commands: translator = self.get_child_translator(cmd) if translator: translator.diff_ifc_asa(cmd)
def ifc2asa(self, no_asa_cfg_stack, asa_cfg_list, interfaces = None): '''Generate ASA configuration from IFC configuration delta. @see DMObject.ifc2asa for parameter details ''' if not self.has_ifc_delta_cfg(): return action = self.get_action() if action == State.NOCHANGE: return if action == State.DESTROY and self.is_removable: self.generate_cli(no_asa_cfg_stack, 'no ' + self.get_cli()) else: self.generate_cli(asa_cfg_list, self.get_cli()) # apply the pool to the management interface value = normalize_param_dict(self.delta_ifc_cfg_value['value']) intf = self.get_top().get_mgmt_interface() if not intf: # default management interface: m0/0 intf = 'm0/0' attr = self.get_mgmt_intf_attributes(intf) if attr == None: return clii = CLIInteraction(mode_command='interface ' + util.normalize_interface_name(intf), command='ip address ' + attr['ip'] + ' ' + attr['mask'] + ' cluster-pool ' + value['pool_name'], response_parser=cluster_response_parser) asa_cfg_list.append(clii) SimpleType.ifc2asa(self, no_asa_cfg_stack, asa_cfg_list)
def ifc2asa(self, no_asa_cfg_stack, asa_cfg_list): ''' Translate IFC config to ASA config ''' if not self.has_ifc_delta_cfg(): return state = self.delta_ifc_cfg_value['state'] if state != State.NOCHANGE: config = util.normalize_param_dict( self.delta_ifc_cfg_value['value']) cli = self.create_cli(config, state) if not len(cli): return if self.extra_cli: no_asa_cfg_stack.append( CLIInteraction(self.extra_cli, response_parser=ScanningThreatDetection. ignore_msg_response_parser)) asa_cfg_list.append( CLIInteraction(cli, response_parser=ScanningThreatDetection. ignore_msg_response_parser)) else: if cli.startswith('no '): no_asa_cfg_stack.append( CLIInteraction(cli, response_parser=ScanningThreatDetection. ignore_msg_response_parser)) else: asa_cfg_list.append( CLIInteraction(cli, response_parser=ScanningThreatDetection. ignore_msg_response_parser))
def ifc2asa(self, no_asa_cfg_stack, asa_cfg_list): ''' Translate IFC config to ASA config ''' if not self.has_ifc_delta_cfg(): return self.rate_type = self.get_parent().rate_type self.asa_key = 'threat-detection rate ' + self.rate_type state = self.delta_ifc_cfg_value['state'] self.extra_cli = None if state != State.NOCHANGE: config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) config['rate'] = self.rate_type if not config.get('rate_status'): config['rate_status'] = 'enable' cli = self.create_cli(config, state) if not cli: return if self.extra_cli: no_asa_cfg_stack.append(CLIInteraction(self.extra_cli, response_parser=self.ignore_response_parser)) asa_cfg_list.append(CLIInteraction(cli)) else: if cli.startswith('no '): no_cli_cur = None if len(no_asa_cfg_stack): no_cli_cur = no_asa_cfg_stack[len(no_asa_cfg_stack) - 1].command if cli != no_cli_cur: no_asa_cfg_stack.append(CLIInteraction(cli, response_parser=self.ignore_response_parser)) else: asa_cfg_list.append(CLIInteraction(cli))
def create_asa_key(self): '''Create the the asa key identifies this object @return str ''' assert self.has_ifc_delta_cfg() value = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) return 'logging message %(message)s' % value
def create_asa_key(self): '''Create the the asa key identifies this object @return str ''' assert self.has_ifc_delta_cfg() value = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) return self.asa_gen_template % value
def create_asa_key(self): """Create the the asa key identifies this object @return str """ assert self.has_ifc_delta_cfg() value = util.normalize_param_dict(self.delta_ifc_cfg_value["value"]) return self.asa_gen_template % value
def get_cli(self): values = normalize_param_dict(self.delta_ifc_cfg_value['value']) interface_name = self.parent.get_interface_name() if interface_name: values['interface_name'] = interface_name return self.asa_gen_template % values
def diff_ifc_asa(self, cli): ''' Get diff of IFC and ASA ''' super(NetFlowCollectors, self).diff_ifc_asa(cli) if self.get_action() == State.MODIFY: values = util.normalize_param_dict(self.parse_cli(cli)) if self.get_collector_info(values) in NetFlowObjects.collectors: self.set_action(State.NOCHANGE)
def get_cli(self): '''Generate the CLI for this single logging message config. ''' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) level = config.get('level') level = ' level ' + level if level else '' return 'logging message %(message)s' % config + level
def ifc2asa(self, no_asa_cfg_stack, asa_cfg_list): if (not self.has_ifc_delta_cfg() or self.delta_ifc_cfg_value['state'] == State.DESTROY): return values = normalize_param_dict(self.delta_ifc_cfg_value['value']) if 'clear_translation' in values and self.acl_changed: self.generate_cli(asa_cfg_list, 'clear xlate')
def create_asa_key(self): '''Create the the asa key identifies this object @return str ''' if not self.has_ifc_delta_cfg(): return '' value = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) return self.asa_gen_template % value
def populate_model(self, delta_ifc_key, delta_ifc_cfg_value): super(NATRule, self).populate_model(delta_ifc_key, delta_ifc_cfg_value) self.values = normalize_param_dict(self.delta_ifc_cfg_value['value']) self.populate_defaults(self.values, self.DEFAULTS) # Normalize parameters whose values are ignored for param in ('dns', 'unidirectional'): if param in self.values: self.values[param] = None
def populate_model(self, delta_ifc_key, delta_ifc_cfg_value): ''' Populate the cluster role configuration ''' self.delta_ifc_key = delta_ifc_key self.delta_ifc_cfg_value = delta_ifc_cfg_value self.state = delta_ifc_cfg_value['state'] config = util.normalize_param_dict(delta_ifc_cfg_value['value']) ClusterConfig.is_master = str(config).lower() == 'master'
def get_cli(self): '''Override get_cli''' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) if config == 'enable' or config == 'disable': return self.create_cli(config, self.get_action()) return None
def get_cli(self): """Generate the CLI for ntp server config. """ assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value["value"]) key = config.get("key") key = " key " + key if key else "" prefer = config.get("prefer") prefer = " prefer " if prefer == "enable" else "" return "ntp server %(server)s" % config + key + prefer
def get_cli(self): value = normalize_param_dict(self.delta_ifc_cfg_value['value']) if value == {}: return self.asa_key '''The following join, split, and strip, and split are used to rid of extra space characters that may result from empty optional parameters. ''' return ' '.join((self.asa_gen_template % value).split())
def get_cli(self): '''Generate the CLI for this single cluster ip config. ''' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) mask = config.get('mask') result = SimpleType.get_cli(self) if mask: result += ' mask ' + mask return ' '.join(result.split())
def get_cli(self): '''Return the CLI for the self.delta_ifc_cfg_value, used by ifc2asa. @precondition: self.has_ifc_detal_cfg() is True @note: it always returns the +ve CLI, i.e. no "no" prefix in the return value. ''' if not self.has_ifc_delta_cfg(): return '' value = normalize_param_dict(self.delta_ifc_cfg_value['value']) return ' '.join((self.asa_gen_template % value).split())
def get_cli(self): '''Generate the CLI for this 'delay flow-create' config. ''' assert self.has_ifc_delta_cfg() state = self.delta_ifc_cfg_value['state'] config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) if not config: return '' return self.create_cli({'state': state, 'value':config}, state)
def get_cli(self): """ Normalize the interface name before filling the template. """ assert self.has_ifc_delta_cfg() value = util.normalize_param_dict(self.delta_ifc_cfg_value["value"]) value["interface"] = util.normalize_interface_name(self.get_top().get_failover_link_interface()) return " ".join((self.asa_gen_template % value).split())
def get_cli(self): """Generate the CLI for this single failover ip config. """ assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value["value"]) netmask = config.get("netmask") if ":" not in config.get("active_ip") else "" standby_ip = config.get("standby_ip") result = SimpleType.get_cli(self) result += " " + netmask + " standby " + standby_ip return " ".join(result.split())
def get_cli(self): 'Override the default implementation to take care / delimiter' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) config['ipv6_address_with_prefix'] = util.normalize_ipv6_address(config['ipv6_address_with_prefix']) eui64 = config.get('eui64') eui64 = ' eui-64' if eui64 else '' result = 'ipv6 address ' + config['ipv6_address_with_prefix'] result += eui64 return ' '.join(result.split())
def query_scanning_threat(self): ''' Get all scanning threat rate instances on the device. These are used to optimize the CLI so that no unnecessary CLIs are generated by audit function ''' if not self.get_top().get_device( ): #skip if there is no device attribute return ScanningThreatDetection.rates = {} query_cmd = 'show run threat-detection | grep scanning-threat' res = self.query_asa(query_cmd) if not res or not len(res): return lines = res.split('\n') for cli in lines: if cli.startswith( 'threat-detection scanning-threat shun except ip-address'): values = util.normalize_param_dict( ShunExceptIP.parse_shun_except(cli)) ScanningThreatDetection.rates[ShunExceptIP.get_shun_str( values)] = '' elif cli.startswith( 'threat-detection scanning-threat shun except object-group' ): values = util.normalize_param_dict( ShunExceptObject.parse_shun_except(cli)) ScanningThreatDetection.rates[ShunExceptObject.get_shun_str( values)] = '' elif cli.startswith( 'threat-detection scanning-threat shun duration'): values = util.normalize_param_dict( ShunDuration.parse_shun_duration(cli)) ScanningThreatDetection.rates[ShunDuration.get_duration_str( values)] = '' elif cli.startswith('threat-detection rate scanning-threat'): values = util.normalize_param_dict( ScanningThreatRate.parse_rates(cli)) ScanningThreatDetection.rates[ScanningThreatRate.get_rates_str( values)] = ''
def get_cli(self): ''' Generate the CLI for this single CLI with optional parameter 'reset' ''' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) reset_option = (config.get('idle_reset') == 'enable') if config is not None else False # default value for reset: disable reset_option = ' ' + TIMEOUT_RESET_CLI if reset_option else '' return SimpleType.get_cli(self) + reset_option
def get_cli(self): '''Generate the CLI for this 'delay flow-create' config. ''' assert self.has_ifc_delta_cfg() state = self.delta_ifc_cfg_value['state'] config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) if not config: return '' return self.create_cli({'state': state, 'value': config}, state)
def get_cli(self): '''Generate the CLI for this IPS config. ''' if not self.has_ifc_delta_cfg(): return '' config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) sensor = config.get("sensor") if sensor: return (self.asa_gen_template % config) + ' sensor ' + sensor return self.asa_gen_template % config
def get_cli(self): 'Override the default implementation to take care / delimiter' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) config['ipv6_address_with_prefix'] = util.normalize_ipv6_address( config['ipv6_address_with_prefix']) eui64 = config.get('eui64') eui64 = ' eui-64' if eui64 else '' result = 'ipv6 address ' + config['ipv6_address_with_prefix'] result += eui64 return ' '.join(result.split())
def get_cli(self): '''Generate the CLI for this single failover ip config. ''' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) netmask = config.get('netmask') if ':' not in config.get( 'active_ip') else '' standby_ip = config.get('standby_ip') result = SimpleType.get_cli(self) result += ' ' + netmask + ' standby ' + standby_ip return ' '.join(result.split())
def get_cli(self): ''' Normalize the interface name before filling the template. ''' assert self.has_ifc_delta_cfg() value = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) value['interface'] = util.normalize_interface_name( self.get_top().get_failover_link_interface()) return ' '.join((self.asa_gen_template % value).split())
def get_cli(self): '''Generate the CLI for this CLACP system-mac configuration. ''' if not self.has_ifc_delta_cfg(): return '' config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) priority = config.get('priority') result = SimpleType.get_cli(self) if priority: result += ' system-priority ' + priority return ' '.join(result.split())
def get_cli(self): '''Generate the CLI for this 'active refresh-interval' config. ''' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) if not config: return '' state = self.delta_ifc_cfg_value['state'] return self.create_cli({'state': state, 'value': config}, state)
def get_cli(self): '''Generate the CLI for this 'flow-export destination' config. ''' assert self.has_ifc_delta_cfg() if not self.interface: self.interface = self.get_top().get_utility_nameif() if self.interface: config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) state = self.delta_ifc_cfg_value['state'] if 'host' in config and 'port' in config: return self.create_cli(config, state)
def get_cli(self): '''Generate the CLI for this 'active refresh-interval' config. ''' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) if not config: return '' state = self.delta_ifc_cfg_value['state'] return self.create_cli({'state': state, 'value':config}, state)
def get_cli(self): '''Generate the CLI for this 'flow-export destination' config. ''' assert self.has_ifc_delta_cfg() if not self.interface: self.interface = self.get_top().get_utility_nameif() if self.interface: config = util.normalize_param_dict( self.delta_ifc_cfg_value['value']) state = self.delta_ifc_cfg_value['state'] if 'host' in config and 'port' in config: return self.create_cli(config, state)
def populate_model(self, delta_ifc_key, delta_ifc_cfg_value): ''' Populate model ''' super(TemplateAndCollectors, self).populate_model(delta_ifc_key, delta_ifc_cfg_value) values = delta_ifc_cfg_value['value'] for (ifc_type, ifc_key, ifc_name), value in values.iteritems(): if ifc_key == 'NetFlowCollectors': data = util.normalize_param_dict(value['value']) data['state'] = value['state'] else: data = {'state': value['state'], 'value': value['value']} self.config[(ifc_key, ifc_name)] = data
def ifc2asa(self, no_asa_cfg_stack, asa_cfg_list): ''' Translate IFC config to ASA config ''' if not self.has_ifc_delta_cfg(): return state = self.delta_ifc_cfg_value['state'] if state != State.NOCHANGE: config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) cli = self.create_cli(config, state) if cli.startswith('no '): no_asa_cfg_stack.append(CLIInteraction(cli, response_parser = ScanningThreatDetection.ignore_msg_response_parser)) else: asa_cfg_list.append(CLIInteraction(cli, response_parser = ScanningThreatDetection.ignore_msg_response_parser))
def get_cli(self): '''Override get_cli''' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) if not config: return '' if str(config).startswith('disable'): return 'no ' + self.asa_key return self.asa_key
def get_cli(self): ''' Generate the CLI for this single CLI with optional parameter 'reset' ''' assert self.has_ifc_delta_cfg() config = util.normalize_param_dict(self.delta_ifc_cfg_value['value']) reset_option = ( config.get('idle_reset') == 'enable' ) if config is not None else False # default value for reset: disable reset_option = ' ' + TIMEOUT_RESET_CLI if reset_option else '' return SimpleType.get_cli(self) + reset_option
def parse_multi_parameter_cli(self, cli, asa_gen_template = None): ''' Parse parameters ''' if cli.startswith('no '): status = 'disable' result = self.parse_rates(cli[3:]) else: status = 'enable' result = self.parse_rates(cli) result[(Type.PARAM, 'rate_status', '')] = {'state': State.NOCHANGE, 'value': status} values = util.normalize_param_dict(result) self.rate_type = values['rate'] return result
def ifc2asa(self, no_asa_cfg_stack, asa_cfg_list): if (not self.has_ifc_delta_cfg() or self.delta_ifc_cfg_value['state'] == State.DESTROY): return # If translations are already cleared for ACLs, then not needed for NAT access_list_deployment = self.get_top().get_child( 'AccessListDeployment') if access_list_deployment and access_list_deployment.acl_changed: return values = normalize_param_dict(self.delta_ifc_cfg_value['value']) if 'clear_translation' in values: no_asa_cfg_stack.extend(self.xlate_clis)