def __init__(self, ipaddr, username, password, domain=None, port="443"): self.api_server = ipaddr self.username = username self.password = password self.port = port #self.urlbase = "https://{ipaddr}:{port}/".format(ipaddr=self.ipaddr,port=self.port) #self.timeout = timeout if domain: self.domain = domain client_args = APIClientArgs(server=self.api_server, port=self.port) self.client = APIClient(client_args) if self.client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) # login to server: if domain: login_res = self.client.login(self.username, self.password, False, self.domain) else: login_res = self.client.login(self.username, self.password) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1)
def install_policy(): client_args = APIClientArgs(server=mgmt_ip, port=4434, api_version=1.5) message = "" with APIClient(client_args) as client: login_res = client.login(username=mgmt_user, password=mgmt_password) if login_res.success is False: message = "Login failed: {}".format(login_res.error_message) print(login_res) else: api_res = client.api_call( "install-policy", { "policy-package": mgmt_policy, "targets": mgmt_target_gateway, "access": 0, "threat-prevention": 1 }) if api_res.success: message = "Policy installed successfully!" else: message = "Policy was UNABLE to be installed :(" return message
def main(): user_args = populate_parser() Utils.log_file = open( os.path.dirname(os.path.abspath(__file__)) + os.sep + 'replace_references_' + (user_args.domain if user_args.domain else "") + '_' + str(Utils.DATETIME_NOW_SEC) + '.txt', 'w+') client_args = APIClientArgs(server=user_args.management, port=user_args.port) with APIClient(client_args) as client: # The API client, would look for the server's certificate SHA1 fingerprint in a file. # If the fingerprint is not found on the file, it will ask the user if he accepts the server's fingerprint. # In case the user does not accept the fingerprint, exit the program. if client.check_fingerprint() is False: Utils.print_msg( "Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) Utils.login(user_args, client) original_object = get_object(client, user_args.original_reference) new_object = get_object(client, user_args.new_reference) if not find_usages(client, original_object): Utils.print_msg("WARNING: " + original_object.get("name") + " not in use") replace_original_with_new_reference(client, original_object, new_object) res = client.api_call("publish") Utils.exit_failure("Publish operation failed ", res, client) Utils.log_file.close()
def fun_getipsver_mgmt(): global output_text global output_code global ipsver_mgmt client_args = APIClientArgs(server=args.api_server, context=args.api_context, unsafe='True') with APIClient(client_args) as client: # If Errer occurs due to fingerprtnt mismatch if client.check_fingerprint() is False: output_text.update="Could not get the server's fingerprint - Check connectivity with the server." output_code.append("UNKNOWN") # login to server: login_res = client.login(args.api_user, args.api_pwd) logging.debug('API Login done: '+str(login_res)) # when login failed if login_res.success is False: output_text.update="Login failed: {}".format(login_res.error_message) output_code.append("UNKNOWN") else: #API Call "show ips status" res_ipsver_mgmt = client.api_call("show-ips-status") ipsver_mgmt=res_ipsver_mgmt.data["installed-version"] if ipsver_mgmt: #getting version numbers ips_current_ver_info=res_ipsver_mgmt.data["installed-version"] ips_update_ver_info=res_ipsver_mgmt.data["latest-version"] #bool update available - yes/no ips_bool_update=res_ipsver_mgmt.data["update-available"] #install dates ips_date_last_install=res_ipsver_mgmt.data["last-updated"] ips_date_last_install_iso=ips_date_last_install["iso-8601"] ips_date_last_install_posix=ips_date_last_install["posix"] ips_date_update=res_ipsver_mgmt.data["latest-version-creation-time"] ips_date_update_posix=ips_date_update["posix"] # # ips_update_date_delta=((ips_date_last_install_posix/1000 - ips_date_update_posix/1000))/(60*60*24) logging.debug('Fetched Management IPS Version: '+str(ips_current_ver_info)+", most recent:"+str(ips_current_ver_info)+" From:"+str(ips_date_last_install_iso)) #work with it if not ips_bool_update: logging.debug("Update available: " +str(ips_bool_update)) output_text.update({"Monitor Management IPS Version": {"Result" : "OK! No Update available - Last installed update: "+str(ips_date_last_install_iso)+" - Installed Version "+str(ips_current_ver_info)+" - Newest: "+str(ips_update_ver_info)}}) output_code.append("OK") elif ips_update_date_delta > 3: logging.debug("Update available: " +str(ips_bool_update)) output_text.update({"Monitor Management IPS Version": {"Result" : "CRITICAL! Updates available - Last installed update: "+str(ips_date_last_install_iso)+" - last Installed version "+str(ips_current_ver_info)+" - Newest: "+str(ips_update_ver_info)+" - Update Date Delta: "+str(ips_update_date_delta)+" Days!"}}) output_code.append("CRITICAL") elif ips_update_date_delta > 0 and ips_update_date_delta < 3: logging.debug("Update available: " +str(ips_bool_update)) output_text.update({"Monitor Management IPS Version": {"Result" : "WARNING! Updates available - Last installed update: "+str(ips_date_last_install_iso)+" - last Installed version "+str(ips_current_ver_info)+" - Newest: "+str(ips_update_ver_info)+" - Update Date Delta: "+str(ips_update_date_delta)+" Days!"}}) output_code.append("WARNING") else: logging.debug("Something is wrong - API Response: " +str(login_res)) output_text.update({"Monitor Management IPS Version": {"Result" : "There is something wrong - please check! API Response (with -v)"}}) output_code.append("UNKNOWN") else: logging.debug("Soomething is wron - API Response: " +str(login_res)) output_text.update({"meh - something went wrong"}) output_code.append("UNKNOWN") return output_text,output_code,ipsver_mgmt
def publish_changes(): client_args = APIClientArgs(server=config.api_server) with APIClient(client_args) as client: client.debug_file = "api_calls.json" if client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) logging.warning( "Could not get the server's fingerprint - Check connectivity with the server." ) sys.exit(1) login_res = client.login(config.username, config.password, "True", config.domain) if login_res.success is False: print("Login failed: {}".format(login_res.error_message)) logging.warning("Login failed: {}".format(login_res.error_message)) sys.exit(1) set_package = client.api_call("set-package", {"name": config.package}) publish_res = client.api_call("publish", {}) if publish_res.success: print("The changes were published successfully.") logging.info("The changes were published successfully.") else: print("Failed to publish the changes.") logging.warning("Failed to publish the changes.")
def login(): client_args = APIClientArgs(server=config.api_server) client = APIClient(client_args) client.debug_file = "api_calls.json" if client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) logging.warning( "Could not get the server's fingerprint - Check connectivity with the server." ) sys.exit(1) login_res = client.login(config.username, config.password, "True", config.domain) if login_res.success is False: print("Login failed: {}".format(login_res.error_message)) logging.warning("Login failed: {}".format(login_res.error_message)) sys.exit(1) config.session = client
def main(): # getting details from the user api_server = input("Enter server IP address or hostname:") username = input("Enter username: "******"Enter password: "******"Attention! Your password will be shown on the screen!") password = input("Enter password: "******"Enter the name of the access rule: ") # # The API client, would look for the server's certificate SHA1 fingerprint in a file. # If the fingerprint is not found on the file, it will ask the user if he accepts the server's fingerprint. # In case the user does not accept the fingerprint, exit the program. if client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) # login to server: login_res = client.login(username, password) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) # add a rule to the top of the "Network" layer add_rule_response = client.api_call("add-access-rule", { "name": rule_name, "layer": "Network", "position": "top" }) if add_rule_response.success: print( "The rule: '{}' has been added successfully".format(rule_name)) # publish the result publish_res = client.api_call("publish", {}) if publish_res.success: print("The changes were published successfully.") else: print("Failed to publish the changes.") else: print("Failed to add the access-rule: '{}', Error:\n{}".format( rule_name, add_rule_response.error_message))
def main(): # getting details from the user api_server = input("Enter server IP address or hostname:") username = input("Enter username: “) if sys.stdin.isatty(): password = getpass.getpass("Enter password: "******"Attention! Your password will be shown on the screen!") password = input("Enter password: "******"Could not get the server's fingerprint - Check connectivity with the server.") exit(1) # login to server: login_res = client.login(username, password) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) csv_filepath = input("Enter the filepath: ") # delete network objects listed in a csv file # read the file with open(csv_filepath, 'r') as read_obj: # pass the file object to reader() to get the reader object csv_reader = reader(read_obj) # Iterate over each row in the csv using reader object for host in csv_reader: # host variable is a list that represents a row in csv unused_host_data = {'name':'{}'.format(str(host[0]))} delete_objects_response = client.api_call("delete-host", unused_host_data) if delete_object_response.success: print("The network object {} has been deleted successfully".format(unused_host_data)) else: print("Failed to delete network object {}, Error:\n{}".format(unused_host_data, delete_objects_response.error_message)) # publish the result publish_res = client.api_call("publish", {}) if publish_res.success: print("The changes were published successfully.") else: print("Failed to publish the changes.")
def run(self): Responder.run(self) client_args = APIClientArgs(server=self.server_ip, unsafe=True) with APIClient(client_args) as client: POST {{server}}/login Content-Type: application/json { "api-key" : "hqreK1MmmM4T1AYA0jOJpg==" }
def main(): # getting details from the user api_server = input("Enter server IP address or hostname:") if sys.stdin.isatty(): api_key = getpass.getpass("Enter api-key: ") else: print("Attention! Your api-key will be shown on the screen!") api_key = input("Enter api-key: ") client_args = APIClientArgs(server=api_server) with APIClient(client_args) as client: group_name = input("Enter the name of the group: ") # # The API client, would look for the server's certificate SHA1 fingerprint in a file. # If the fingerprint is not found on the file, it will ask the user if he accepts the server's fingerprint. # In case the user does not accept the fingerprint, exit the program. if client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) # login to server: login_res = client.login_with_api_key(api_key) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) # add the group add_group_response = client.api_call("add-group", {"name": group_name}) if add_group_response.success: print("The group: '{}' has been added successfully".format( group_name)) # publish the result publish_res = client.api_call("publish", {}) if publish_res.success: print("The changes were published successfully.") else: print("Failed to publish the changes.") else: print("Failed to add the group: '{}', Error:\n{}".format( group_name, add_group_response.error_message))
def main(): # getting details from the user api_server = input("Enter server IP address or hostname:") username = input("Enter username: "******"Enter password: "******"Attention! Your password will be shown on the screen!") password = input("Enter password: "******"Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) # login to server: login_res = client.login(username, password) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) show_sessions_res = client.api_query("show-sessions", "full") if not show_sessions_res.success: print("Failed to retrieve the sessions") return for sessionObj in show_sessions_res.data: # Ignore sessions that were not created with WEB APIs or CLI if sessionObj["application"] != "WEB_API": continue discard_res = client.api_call("discard", {"uid": sessionObj['uid']}) if discard_res.success: print("Session '{}' discarded successfully".format( sessionObj['uid'])) else: print("Session '{}' failed to discard".format( sessionObj['uid']))
def add(): username, password = util.get_credentials_access() client_args = APIClientArgs() with APIClient(client_args) as client: # # The API client, would look for the server's certificate SHA1 fingerprint in a file. # If the fingerprint is not found on the file, it will ask the user if he accepts the server's fingerprint. # In case the user does not accept the fingerprint, exit the program. if client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) # login to server: login_res = client.login(username, password) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) for i in range(_PORT, _PORT + 3000): add_service_response = client.api_call("add-service-tcp", { "name": 'TCP-' + str(i), "port": i }) if add_service_response.success: print("The service: '{}' has been added successfully".format( add_service_response.data['name'])) else: print("Port: '{}'\n{}".format( i, add_service_response.error_message)) print("[{}] {}: {}".format( add_service_response.status_code, add_service_response.data['code'], add_service_response.data['message'])) # publish the result publish_res = client.api_call("publish", {}) if publish_res.success: print("The changes were published successfully.") else: print("Failed to publish the changes.")
def fun_getipsver_gws(): global ipsver_mgmt global output_text global output_code client_args = APIClientArgs(server=args.api_server, context=args.api_context, unsafe='True') with APIClient(client_args) as client: # If Errer occurs due to fingerprint mismatch if client.check_fingerprint() is False: output_text.update({"Monitor Logging into Mgmt API": {"Result": "Could not get the server's fingerprint - Check connectivity with the server."}}) output_code.append("UNKNOWN") # login to server:r login_res = client.login(args.api_user,args.api_pwd) # when login failed if login_res.success is False: logging.debug("Something is wrong - API Response: " +str(login_res)) output_text.update({"Monitor Logging into Mgmt API": {"Result": "Login failed: {}".format(login_res.error_message)}}) output_code.append("UNKNOWN") res_getmanagedgws = client.api_call("show-simple-gateways",{"limit":"500"}) gwselector=0 totalgws=res_getmanagedgws.data['total'] logging.debug("Checking IPS version on "+str(res_getmanagedgws.data['total'])+" Gateways") dict_ipsver_gw={} while gwselector < totalgws: gwname=res_getmanagedgws.data['objects'][gwselector]['name'] res_ipsvermgmt_task = client.api_call("run-script",{"script-name":"get ips version","script":"clish -c \"show security-gateway ips status\"","targets" : gwname}) ipsver_gw=re.search('IPS Update Version: (.+?), ', res_ipsvermgmt_task.data['tasks'][0]['task-details'][0]['statusDescription']) dict_ipsver_gw.update({ gwname: {"gwversion" : ipsver_gw.group(1),"mgmtversion" : ipsver_mgmt,"gwmgmtsame" : ipsver_mgmt==ipsver_gw.group(1)}}) if ipsver_mgmt!=ipsver_gw.group(1): output_text.update({"Monitor Gateway "+str(gwname)+" IPS Version": {"Result":"has not the same version as Management! Management:"+str(ipsver_mgmt)+" - Gw:"+str(ipsver_gw.group(1))+""}}) output_code.append("WARNING") elif ipsver_mgmt==ipsver_gw.group(1): output_text.update({"Monitor Gateway "+str(gwname)+" IPS Version": {"Result":"OK! Mgmt "+str(ipsver_mgmt)+" - Gw "+str(ipsver_gw.group(1))+""}}) output_code.append("OK") else: output_text.update({"Monitor Gateway "+str(gwname)+" IPS Version": {"Result":"UNKNOWN! Something weird happened"}}) output_code.append("UNKNOWN") logging.debug("IPS version on "+str(gwname)+": "+ipsver_gw.group(1)) gwselector=gwselector+1 return output_text, output_code
def main(): # getting details from the user api_server = input("Enter server IP address or hostname:") username = input("Enter username: "******"Enter password: "******"Attention! Your password will be shown on the screen!") password = input("Enter password: "******"1", unsafe=True, context="gaia_api") with APIClient(client_args) as client: # login to server: login_res = client.login(username, password) if login_res.success is False: print("Login failed: {}".format(login_res.error_message)) exit(1) interface_name = input("Enter interface name: ") api_res = client.api_call("show-physical-interface", {"name": interface_name}) if api_res.success: # in order to access any field within the data that had # returned, simple use api_res.data["field name"] or refer to # the documentation page - # https://sc1.checkpoint.com/documents/latest/GaiaAPIs/ print("Physical interface name is '{}' , ipv4 address is '{}', " "interface mtu is '{}' ".format(api_res.data["name"], api_res.data["ipv4-address"], api_res.data["mtu"])) else: print("Failed to get physical interface data '{}'".format( api_res.data))
def main(): # getting details from the user api_server = raw_input("Enter server IP address or hostname:") username = raw_input("Enter username: "******"Enter password: "******"Attention! Your password will be shown on the screen!") password = raw_input("Enter password: "******"hostname value to be defined:") client_args = APIClientArgs(server=api_server, api_version="1", unsafe=True, context="gaia_api") with APIClient(client_args) as client: # login to server: login_res = client.login(username, password) if login_res.success is False: print("Login failed: {}".format(login_res.error_message)) exit(1) # request to show hostname api_res = client.api_call("show-hostname", {}) if api_res.success: print("Hostname is '{}'".format(api_res.data["name"])) else: print("Failed to get hostname '{}'".format(api_res.data)) # request to set hostname api_res = client.api_call("set-hostname", {"name": hostname}) if api_res.success: print("Hostname name changed to '{}'".format(api_res.data["name"])) else: print("Failed to get hostname '{}'".format(api_res.data))
def main(): # Try / Catch to get exceptions regarding # excel file connections and # checkpoint api client initialization try: # Logger configurations logger_config() # Read data from file dataframe = pd.read_excel(settings.object_data_path) # Since blank cells return 'nan' instead of empty string # we replace all 'nan' with an empty string dataframe = dataframe.fillna("") # Initialize the SMS session client_args = APIClientArgs(server=settings.sms_ip, api_version=settings.api_version) with APIClient(client_args) as client: # Login to SMS: login_res = client.login(settings.sms_username, settings.sms_password) # If login is not successful, raise an error message. if login_res.success is False: raise Exception(Const.ERROR_LOGIN_FALED) else: # Displays a message that we # successfully connected to the sms display( Const.MESSAGE_CONNECTION_SMS_SUCCESSFULL.format( settings.sms_ip)) access_rules = [] # Iterate through each row # in the excel table # Index is not used here but should # NOT BE REMOVED for index, row in dataframe.iterrows(): object_name = row["Object Name"] # Make an API call to fetch # basic rule details where the object # is being used policy_rules_dict = fetch_basic_rule(client, object_name) if policy_rules_dict != None: # Make multiple API calls for each access rules in each # policy returned a_rules = fetch_access_rules(client, policy_rules_dict, object_name) if a_rules != None: # Extend the list access_rules.extend(a_rules) if access_rules != None: # Export access rules export_rules(access_rules) except Exception as e: # Prints the error message display(Const.ERROR_INTERNAL.format(e)) exit(1)
def main(): # getting details from the user api_server = input("Enter server IP address or hostname:") username = input("Enter username: "******"Enter password: "******"Attention! Your password will be shown on the screen!") password = input("Enter password: "******"api_calls.json" # The API client, would look for the server's certificate SHA1 fingerprint in a file. # If the fingerprint is not found on the file, it will ask the user if he accepts the server's fingerprint. # In case the user does not accept the fingerprint, exit the program. if client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) # login to server: login_res = client.login(username, password) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) # show hosts print("Processing. Please wait...") show_hosts_res = client.api_query("show-hosts", "standard") if show_hosts_res.success is False: print("Failed to get the list of all host objects:\n{}".format( show_hosts_res.error_message)) exit(1) # obj_dictionary - for a given IP address, get an array of hosts (name, unique-ID) that use this IP address. obj_dictionary = {} # dup_ip_set - a collection of the duplicate IP addresses in all the host objects. dup_ip_set = set() for host in show_hosts_res.data: ipaddr = host.get("ipv4-address") if ipaddr is None: print(host["name"] + " has no IPv4 address. Skipping...") continue host_data = {"name": host["name"], "uid": host["uid"]} if ipaddr in obj_dictionary: dup_ip_set.add(ipaddr) obj_dictionary[ipaddr] += [host_data ] # '+=' modifies the list in place else: obj_dictionary[ipaddr] = [host_data] # print list of duplicate IP addresses to the console print("\n") print("List of Duplicate IP addresses: ") print("------------------------------- \n") if len(dup_ip_set) == 0: print("No hosts with duplicate IP addresses") # for every duplicate ip - print hosts with that ip: for dup_ip in dup_ip_set: print("\nIP Address: " + dup_ip + "") print("----------------------------------") for obj in obj_dictionary[dup_ip]: print(obj["name"] + " (" + obj["uid"] + ")")
def main(argv): # Initialize arguments global_domain = "Global" auto_assign = False if argv: parser = argparse.ArgumentParser() parser.add_argument("-s", type=str, action="store", help="Server IP address or hostname", dest="server") parser.add_argument("-u", type=str, action="store", help="User name", dest="username") parser.add_argument("-p", type=str, action="store", help="Password", dest="password") parser.add_argument("-o", type=str, action="store", help="Original host IP", dest="origin_ip") parser.add_argument("-n", type=str, action="store", help="New host name", dest="new_name") parser.add_argument("-m", type=str, action="store", help="New host IP", dest="new_ip") parser.add_argument("-g", type=str, action="store", help="Global domain name", dest="global_name") parser.add_argument("-a", action="store_true", default=False, help="Indicates that the script will do assign of global domain") args = parser.parse_args() required = "server username password origin_ip new_name new_ip".split() for r in required: if args.__dict__[r] is None: parser.error("parameter '%s' required" % r) server = args.server username = args.username password = args.password orig_host_ip = args.origin_ip cloned_host_name = args.new_name cloned_host_ip = args.new_ip auto_assign = args.a if args.global_name is not None: global_domain = args.global_name else: server = raw_input("Enter server IP address or hostname:") username = raw_input("Enter username: "******"Enter password: "******"Attention! Your password will be shown on the screen!") password = raw_input("Enter password: "******"Enter host IP address: ") cloned_host_name = raw_input("Enter new host name: ") cloned_host_ip = raw_input("Enter new host server IP :") global_domain_input = raw_input("Enter global domain name in case of MDS server: [In order to use the default " "value ('Global') or in case of CMA hit 'Enter']") if global_domain_input != "": global_domain = global_domain_input auto_assign_input = raw_input("Enter 'True' if you want the script to do " "assign of the global domain [In order to use the default value " "('False') hit 'Enter']") if auto_assign_input != "" and auto_assign_input == "True": auto_assign = auto_assign_input with APIClient(APIClientArgs(server=server)) as client: # Creates debug file. The debug file contains all the communication # between the python script and Check Point's management server. client.debug_file = "api_calls.json" global log_file log_file = open('logfile.txt', 'w+') # The API client, would look for the server's certificate SHA1 fingerprint in a file. # If the fingerprint is not found on the file, it will ask the user if he # accepts the server's fingerprint. # In case the user does not accept the fingerprint, exit the program. log("\n\tChecking the fingerprint for server {}...".format(server)) if client.check_fingerprint() is False: write_message_close_log_file_and_exit("Could not get the server's fingerprint" " - Check connectivity with the server.") # login to server log("\n\tLogging in to server {}...".format(server)) login_res = client.login(username, password) if login_res.success is False: write_message_close_log_file_and_exit("Login failed:\n{}".format(login_res.error_message)) # show session details in order to check if the server is MDS log("\n\tVerifying the type of server {}...".format(server)) session_res = client.api_call("show-session", {}, login_res.data["sid"]) if session_res.success is False: write_message_close_log_file_and_exit("Login failed:\n{}".format(session_res.error_message)) # the server is not MDS, perform clone host only on the this server if session_res.data["domain"]["domain-type"] != "mds": log("\n\tLogged into SM server {}".format(server)) find_host_by_ip_and_clone(client, orig_host_ip, cloned_host_name, cloned_host_ip) # the server is MDS, run clone host on each of the existing domains else: log("\n\tLogged into MD server {}".format(server)) client_domain = APIClient(APIClientArgs(server=server)) client_domain.debug_file = "api_domain_calls.json" try: # handle global domain log("\n\tChecking on Global Domain...") handle_global_domain(client, username, password, client_domain, global_domain, auto_assign, orig_host_ip, cloned_host_name, cloned_host_ip) # get list of domains domains = client.api_query("show-domains") if domains.success is False: discard_write_to_log_file(client, "Failed to get the domains data:\n{}".format(domains.error_message)) # login out the MDS server client.api_call("logout", {}) log_file.close() exit(1) # go over all the existing domains for domain in domains.data: log("\n\tChecking on Local Domain {}".format(domain["name"])) handle_local_domain(client_domain, domain, username, password, orig_host_ip, cloned_host_name, cloned_host_ip) finally: client_domain.save_debug_data() # close the log file log_file.close()
def main(): # Login to the Server # getting details from the support files # with open('./auth/mycpapi.json') as json_file: server = json.load(json_file) api_server = server['chkp']['host'] with open('./auth/mycpauth.json') as json_file: auth = json.load(json_file) username = auth['user'] password = auth['password'] client_args = APIClientArgs(server=api_server) with APIClient(client_args) as client: # create debug file. The debug file will hold all the communication between the python script and # Check Point's management server. client.debug_file = "api_calls.json" # The API client, would look for the server's certificate SHA1 fingerprint in a file. # If the fingerprint is not found on the file, it will ask the user if he accepts the server's fingerprint. # In case the user does not accept the fingerprint, exit the program. if client.check_fingerprint() is False: print("Could not get the server's fingerprint - Check connectivity with the server.") exit(1) # login to server: login_res = client.login(username, password) # print(login_res.data.get("sid")) # sid = login_res.data.get("sid") # print(sid) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) ### Actual Code Starts here ### mycmd = 'set-session' myobj = {} myobj['description'] = "Session Description" myobj['new-name'] = "New Session Name" session_res = client.api_call(mycmd, myobj) with open('./host.json') as json_file: myfile = json.load(json_file) # print(myfile['remove']) removearr = myfile['remove'] print("Entering Set-Group") cmd = 'set-group' if removearr[cmd]: for group in removearr[cmd]: cmddata = {} cmddata['name'] = group['name'] cmddata['details-level'] = "uid" show_group_res = client.api_call("show-group", cmddata) show_group = show_group_res.data if len(show_group['members']) > 1: cmddata['members'] = group['members'] cmddata['details-level'] = "standard" print("set-group ", cmddata) set_group_res = client.api_call(cmd, cmddata) if set_group_res.success is False: print("Setting Group Failed:\n{}".format(set_group_res.error_message)) exit(1) # removecmd_res = client.api_call(cmd, cmddata) # print(removecmd_res.data) cmddata['members'] = {'add': group['members']['remove']} print("RESTORE: set-group", cmddata) tmplist = [cmd, cmddata] myfile['restore'].insert(0, tmplist) else: print("Only member, might as well clean up group") print("Exit Set-Group") print("Entering Set-Access-Rule") if removearr['set-access-rule']: for rule in removearr['set-access-rule']: cmddata = {} cmddata['layer'] = rule['layer'] cmddata['uid'] = rule['uid'] cmddata['details-level'] = "uid" show_access_rule_res = client.api_call("show-access-rule", cmddata) cmd = "set-access-rule" cmddata['details-level'] = "standard" if 'destination' in rule: if len(show_access_rule_res.data['destination']) > 1: cmddata['destination'] = rule['destination'] print(cmd, cmddata) set_access_rule_res = client.api_call(cmd, cmddata) if set_access_rule_res.success is False: print("Setting Access Rule Failed:\n{}".format(set_access_rule_res.error_message)) exit(1) cmddata['destination'] = {'add': rule['destination']['remove']} print("RESTORE: ", cmd, " ", cmddata) tmplist = [cmd, cmddata] myfile['restore'].insert(0, tmplist) else: print("rule has no more destinations, disable") if 'source' in rule: if len(show_access_rule_res.data['source']) > 1: cmddata['source'] = rule['source'] print(cmd, cmddata) set_access_rule_res = client.api_call(cmd, cmddata) if set_access_rule_res.success is False: print("Setting Access Rule Failed:\n{}".format(set_access_rule_res.error_message)) exit(1) cmddata['source'] = {'add': rule['source']['remove']} print("RESTORE: ", cmd, " ", cmddata) tmplist = [cmd, cmddata] myfile['restore'].insert(0, tmplist) else: print("rule has no more sources, disable") print("Exiting Set-Access-Rule") cmd = "delete-host" print("Entering ", cmd) if removearr[cmd]: for host in removearr[cmd]: cmddata = {} cmddata['name'] = host['name'] print(cmd, cmddata) show_host_res = client.api_call('show-host', cmddata) if show_host_res.success is False: print("Show host Failed:\n{}".format(delete_host_res.error_message)) exit(1) delete_host_res = client.api_call(cmd, cmddata) if delete_host_res.success is False: print("Delete Host Failed:\n{}".format(delete_host_res.error_message)) exit(1) host = show_host_res.data cmd = "add-host" data = {} data['name'] = host['name'] data['ipv4-address'] = host['ipv4-address'] data['color'] = host['color'] data['comments'] = host['comments'] if 'host-servers' in host: data['host-servers'] = host['host-servers'] print("the restore data is: ", data) tmplist = [cmd, data] myfile['restore'].insert(0, tmplist) print(myfile['restore']) print("Exiting ", cmd) res = client.api_call("publish", {}) if res.success is False: discard_write_to_log_file(api_client, "Publish failed. Error:\n{}\nAborting all changes.".format(res.error_message)) return False client.api_call("logout", {}) myfile_pretty = json.dumps(myfile, indent=2) with open('host.json', 'w') as outfile: outfile.write(myfile_pretty)
debug = None log_file = None output_file = None client = None if __name__ == "__main__": arg_parser = argparse.ArgumentParser(description="R80.X Policy Package Export/Import Tool, V3.0") args = process_arguments(arg_parser) args_for_client = APIClientArgs(server=args.management, port=args.port, sid=args.session_id, debug_file=log_file, api_version=args.version, proxy_host=args.proxy, proxy_port=args.proxy_port, unsafe=args.unsafe, unsafe_auto_accept=args.unsafe_auto_accept) with APIClient(args_for_client) as client: if args.login == '1': login_reply = client.login(username=args.username, password=args.password, domain=args.domain, payload={"read-only": "true" if args.operation == "export" else "false"}) handle_login_fail(not login_reply.success, "Login to management server failed. " + str(login_reply)) elif args.login == '2': client.login_as_root(domain=args.domain) elif args.login == '3': client.sid = extract_sid_from_session_file(args.session_file) handle_login_fail(not client.sid, "Could not extract SID form Session-File!") test_reply = client.api_call("show-hosts", {"limit": 1}) handle_login_fail(not test_reply.success, "Extract SID is invalid!") elif args.login == '4': test_reply = client.api_call("show-hosts", {"limit": 1})
def process_args_and_login(parser=None, client=None, showparameter=None, fields=None): # initializing command line arguments and variables to be used later args = args_initializer(parser=parser, param=showparameter) global debug global log_file if not showparameter: showparameter = args.showparameter[0] if args.showparameter else None if not fields: try: fields = { "whitelist": args.fields, "blacklist": [], "translate": [] } except AttributeError: fields = {"whitelist": [], "blacklist": [], "translate": []} management = args.management[0] if args.management else None domain = args.domain[0] if args.domain else None debug = None log_file = None if args.debug[0] == "on": debug = True if (debug or __debug__) and args.log_file is not None: try: log_file = open(args.log_file, "wb") except IOError: debug_log( "Could not open given log file for writing, sending debug information to stderr." ) # open the output file if given one output_file = open(args.output[0], "wb") if args.output else None output_file_format = args.format[0].lower() user_created = (args.user_created[0].lower() == "true") if args.user_created else True # trying to get login credentials username, password, session_id = get_login_credentials( args.username[0] if args.username else None, args.password[0] if args.password else None, args.session_id[0] if args.session_id else None, args.session_file[0] if args.session_file else None, args.root[0] if args.root else None) debug_log( "Got the following login credentials:\n Username: {0}\n Password: {1}\n Session ID: {2}" .format(username, '*' * len(password) if password else None, session_id)) if not args.root or args.root[0] == "true": unsafe = (args.unsafe[0] == "true") unsafe_auto_accept = (args.unsafe_auto_accept[0] == "true") if not client: client = APIClient(APIClientArgs(server=management)) if unsafe or (unsafe_auto_accept and validate_fingerprint_without_prompt( client, management, auto_accept=unsafe_auto_accept) ) or client.check_fingerprint(): login(client, management, domain, username, password, session_id) else: raise APIClientException( "The server's fingerprint is different than your local record of it. The script cannot operate in this unsecure manner (unless running with --unsafe). Exiting..." ) else: login(client, management, domain, session_id=session_id, username=None, password=None) return output_file, output_file_format, user_created, client, args
class CP: """ Wrapper for APIClientArgs, APIClient Parameter: ip-addr mgmgt, username, password, optional domain,port """ def __init__(self, ipaddr, username, password, domain=None, port="443"): self.api_server = ipaddr self.username = username self.password = password self.port = port #self.urlbase = "https://{ipaddr}:{port}/".format(ipaddr=self.ipaddr,port=self.port) #self.timeout = timeout if domain: self.domain = domain client_args = APIClientArgs(server=self.api_server, port=self.port) self.client = APIClient(client_args) if self.client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) # login to server: if domain: login_res = self.client.login(self.username, self.password, False, self.domain) else: login_res = self.client.login(self.username, self.password) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) # getting details from the user def add_rule(self, mydict): """ add rule Parameter: name, payload """ # add a rule to the top of the "Network" layer #add_rule_response = self.client.api_call("add-access-rule", # {"name": rule_name, "layer": "Network", "position": "top"}) response = self.client.api_call("add-access-rule", mydict) if response.success: print("The rule: '{}' has been added successfully".format( mydict['name'])) return (response) else: return (-1) def get_hosts(self): """ get hosts parameter: none returns list of hosts """ list_of_hosts = [] for x in range(100): # max 5000 hosts offset = x * 500 response = self.client.api_call("show-hosts", { "limit": 500, "offset": offset, "details-level": "standard" }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) mydict = response.as_dict() tmp_list_of_hosts = mydict['data']['objects'] list_of_hosts = list_of_hosts + tmp_list_of_hosts counthosts = len(tmp_list_of_hosts) if counthosts < 500: break return (list_of_hosts) def add_host(self, name, ipaddr): """ add host Parameter: name, ipaddr """ response = self.client.api_call( "add-host", { "name": name, "ip-address": ipaddr, 'set-if-exists': True, 'ignore-warnings': True }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) print("host: {} added successfull".format(name)) return (0) else: return (-1) def add_network(self, name, subnet, subnetmask): """ add netork object Parameter: name, subnet, subnetmask """ response = self.client.api_call("add-network", { 'name': name, 'subnet': subnet, 'subnet-mask': subnetmask }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) print("network: {} added successfull".format(name)) return (0) else: return (-1) def add_service_tcp(self, name, port): """ add service tcp Parameter: name,port """ response = self.client.api_call( "add-service-tcp", { "name": name, "port": port, 'set-if-exists': False, 'match-for-any': False }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) print("service: {} added successfull".format(name)) return (0) else: return (-1) def add_service_udp(self, name, port): """ add service udp Parameter: name,port """ response = self.client.api_call( "add-service-udp", { "name": name, "port": port, 'set-if-exists': False, 'match-for-any': False }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) print("service: {} added successfull".format(name)) return (0) else: return (-1) def get_networks(self): """ returns list of networks """ list_of_networks = [] for x in range(100): # max 5000 hosts offset = x * 500 response = self.client.api_call("show-networks", { "limit": 500, "offset": offset, "details-level": "standard" }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) mydict = response.as_dict() num_networks = mydict['data']['total'] #print (mydict) tmp_list_of_networks = mydict['res_obj']['data']['objects'] list_of_networks = list_of_networks + tmp_list_of_networks count = len(tmp_list_of_networks) if count < 500: break return (list_of_networks) def get_services_tcp(self): """ returns list of tcp services """ list_of_services = [] for x in range(100): # max 5000 hosts offset = x * 500 response = self.client.api_call("show-services-tcp", { "limit": 500, "offset": offset, "details-level": "standard" }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) mydict = response.as_dict() num_networks = mydict['data']['total'] #print (mydict) tmp_list_of_services = mydict['res_obj']['data']['objects'] list_of_services = list_of_services + tmp_list_of_services count = len(tmp_list_of_services) if count < 500: break return (list_of_services) def get_services_udp(self): """ returns list of udp services """ list_of_services = [] for x in range(100): # max 50000 offset = x * 500 response = self.client.api_call("show-services-udp", { "limit": 500, "offset": offset, "details-level": "standard" }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) mydict = response.as_dict() num_networks = mydict['data']['total'] #print (mydict) tmp_list_of_services = mydict['res_obj']['data']['objects'] list_of_services = list_of_services + tmp_list_of_services count = len(tmp_list_of_services) if count < 500: break return (list_of_services) def get_policy_packages(self): """ POST {{server}}/show-packages Content-Type: application/json X-chkp-sid: {{session}} { "limit" : 50, "offset" : 0, "details-level" : "standard" } returns list of policy packages """ response = self.client.api_call("show-packages", { "limit": 50, "offset": 0, "details-level": "standard" }) if response.success: #print (len(response.as_dict())) mydict = response.as_dict() tmp_list = mydict['res_obj']['data']['packages'] return (tmp_list) def commit(self): """ commit changes on management """ response = self.client.api_call("publish", {}) if response.success: print("The changes were published successfully.") return (0) else: print("Failed to publish the changes.") return (-1) def call_api(self, call, item=None): """ Wrapper for api_call callnmae e.g add-host payload e.g {"name":"test123", "ip-address": "1.2.3.4"} """ if (item == None): response = self.client.api_call(call) else: response = self.client.api_call(call, item) if response.success: print("The call was successfull.") return (response) else: print("The call failed") return (response) def logout(self): """ logout of management """ response = self.client.api_call("logout") if response.success: print("Logout was successfull.") return (0) else: print("Logout failed") return (-1) def get_host_dict(self): """ returns dictionary of hosts, index is IP-Address """ mylist = self.get_hosts() obj_dictionary = {} for host in mylist: ipaddr = host.get("ipv4-address") if ipaddr is None: print(host["name"] + " has no IPv4 address. Skipping...") continue host_data = {"name": host["name"], "uid": host["uid"]} if ipaddr in obj_dictionary: obj_dictionary[ipaddr] += [host_data ] # '+=' modifies the list in place else: obj_dictionary[ipaddr] = [host_data] return obj_dictionary def get_network_dict(self): """ returns dictionary of networks, index is subnet """ obj_dictionary = {} mylist = self.get_networks() for network in mylist: subnet = network.get("subnet4") if subnet is None: continue else: netmask = network.get("subnet-mask") network_data = { "name": network["name"], "uid": network["uid"], "subnet4": network["subnet4"], "subnet-mask": network["subnet-mask"] } if subnet in obj_dictionary: obj_dictionary[subnet] += [network_data] else: obj_dictionary[subnet] = [network_data] return (obj_dictionary) def get_tcp_services_dict(self): """ returns dictionary of tcp services, index is Name """ obj_dictionary = {} mylist = self.get_services_tcp() """ {'uid': '24de2cde-dfcd-4c9b-9124-492ac4bedba7', 'name': 'Xanadu', 'type': 'service-tcp', 'domain': {'uid': 'a0bbbc99-adef-4ef8-bb6d-defdefdefdef', 'name': 'Check Point Data', 'domain-type': 'data domain'}, 'port': '1031'} """ for service in mylist: port = service.get("port") name = service.get("name") if port is None: continue service_data = { "name": service["name"], "uid": service["uid"], "port": service["port"] } if name in obj_dictionary: obj_dictionary[name] += [service_data] else: obj_dictionary[name] = [service_data] return (obj_dictionary) def get_udp_services_dict(self): """ returns dictionary of udp services, index is Name """ obj_dictionary = {} mylist = self.get_services_udp() """ {'uid': '24de2cde-dfcd-4c9b-9124-492ac4bedba7', 'name': 'Xanadu', 'type': 'service-tcp', 'domain': {'uid': 'a0bbbc99-adef-4ef8-bb6d-defdefdefdef', 'name': 'Check Point Data', 'domain-type': 'data domain'}, 'port': '1031'} """ for service in mylist: port = service.get("port") name = service.get("name") if port is None: continue service_data = { "name": service["name"], "uid": service["uid"], "port": service["port"] } if name in obj_dictionary: obj_dictionary[name] += [service_data] else: obj_dictionary[name] = [service_data] return (obj_dictionary)
def add(): username, password = util.get_credentials_access() client_args = APIClientArgs() with APIClient(client_args) as client: # The API client, would look for the server's certificate SHA1 fingerprint in a file. # If the fingerprint is not found on the file, it will ask the user if he accepts the server's fingerprint. # In case the user does not accept the fingerprint, exit the program. if client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) # login to server: login_res = client.login(username, password) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) session_id = login_res.data['uid'] for i in range(4): for j in range(1, 251): ip_address = '13.0.' + str(i) + '.' + str(j) host = {"name": 'H-' + ip_address, "ip-address": ip_address} add_host_response = client.api_call("add-host", host) if add_host_response.success: print("The host: '{}' has been added successfully".format( add_host_response.data["name"])) else: print("Failed to add-host: '{}', Error:\n{}".format( ip_address, add_host_response.error_message)) subnet = '103.' + str(i) + '.' + str(j) + '.0' network = { "name": 'N-' + subnet + '_24', "subnet": subnet, "subnet-mask": "255.255.255.0" } add_network_response = client.api_call("add-network", network) if add_network_response.success: print( "The network: '{}' has been added successfully".format( add_network_response.data["name"])) else: print("Failed to add-network: '{}', Error:\n{}".format( subnet, add_network_response.error_message)) print( "Now, publishing the result ... REMEMBER session_id: {}!!!".format( session_id)) # publish the result publish_res = client.api_call("publish", {}) if publish_res.success: print("The changes were published successfully.") else: print("Failed to publish the changes.")
def run(self): Responder.run(self) data = self.get_param("data.data") try: data = ipaddress.ip_address(data) except ValueError: self.error("{} is not a valid ip".format(data)) for excl in self.exclusions: try: excl = ipaddress.ip_address(excl) if data == excl: self.error("{} in exclusions".format(data)) except ValueError: try: excl = ipaddress.ip_network(excl) if data in excl: self.error("{} in exclusions".format(data)) except ValueError: continue data = str(data) return_dict = {} with APIClient(self.client_args) as client: login = client.login(self.username, self.password) if not login.success: self.error("Login failed!") if self.service == "lock": # Check if group exists get_group_response = client.api_call("show-group", {"name": self.group_name}) if not get_group_response.success: # if no create it add_group_response = client.api_call( "add-group", {"name": self.group_name}) if not add_group_response.success: self.error("Error during group creation: {}".format( add_group_response.error_message)) else: client.api_call("publish", {}) return_dict["group_created"] = True else: return_dict["group_created"] = False # Check if host exists get_host_response = client.api_call("show-host", {"name": data}) if not get_host_response.success: return_dict["host_created"] = True # Create host from ip add_host_response = client.api_call( "add-host", { "name": data, "ip-address": data, "comments": "From TheHive responder", }, ) if not add_host_response.success: self.error("Error during host creation: {}".format( add_host_response.error_message)) else: client.api_call("publish", {}) return_dict["host_created"] = False # Add observable to group response = client.api_call( "set-group", { "name": self.group_name, "members": { "add": data } }, ) if not response.success: self.error("Error adding host to group: {}".format( response.error_message)) else: # COMMIT CHANGES client.api_call("publish", {}) return_dict["Success"] = True elif self.service == "unlock": # Check if host exists get_host_response = client.api_call("show-host", {"name": data}) if not get_host_response.success: self.error("Host doen't exists: {}".format( get_host_response.error_message)) # Remove observable from group response = client.api_call( "set-group", { "name": self.group_name, "members": { "remove": data } }, ) if not response.success: self.error("Error removing host from group: {}".format( response.error_message)) else: # COMMIT CHANGES client.api_call("publish", {}) return_dict["Success"] = True self.report({"message": return_dict})
def main(): # Login to the Server # getting details from the support files # with open('./auth/mycpapi.json') as json_file: server = json.load(json_file) api_server = server['chkp']['host'] with open('./auth/mycpauth.json') as json_file: auth = json.load(json_file) username = auth['user'] password = auth['password'] client_args = APIClientArgs(server=api_server) with APIClient(client_args) as client: # create debug file. The debug file will hold all the communication between the python script and # Check Point's management server. client.debug_file = "api_calls.json" # The API client, would look for the server's certificate SHA1 fingerprint in a file. # If the fingerprint is not found on the file, it will ask the user if he accepts the server's fingerprint. # In case the user does not accept the fingerprint, exit the program. if client.check_fingerprint() is False: print("Could not get the server's fingerprint - Check connectivity with the server.") exit(1) login_res = client.login(username, password) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) ### Actual Code Starts here ### if len(sys.argv) == 1: res = client.api_call("show-sessions", {"details-level": "full"}) openchanges = False for session in res.data['objects']: if session['changes'] > 0: print(session['user-name'], " has ", session['changes'], " changes open and is UID: ", session['uid']) openchanges = True if openchanges == False: print("No sessions with changes pending") elif len(sys.argv) > 1: sessionid = sys.argv[1] client.api_call("switch-session", {"uid": sessionid}) res = client.api_call("publish", {}) if res.success is False: discard_write_to_log_file(api_client, "Publish failed. Error:\n{}\nAborting all changes.".format(res.error_message)) return False client.api_call("logout", {})
def main(): # Try / Catch to get exceptions regarding # excel file connections and # checkpoint api client initialization try: # Logger configurations logger_config() # Get settings from Settings class settings = Settings() # Read data from file dataframe = pd.read_excel(settings.object_data_path) # Since blank cells return 'nan' instead of empty string # we replace all 'nan' with an empty string dataframe = dataframe.fillna("") # Initialize the SMS session client_args = APIClientArgs(server=settings.sms_ip, api_version=settings.api_version) with APIClient(client_args) as client: # Try / Catch to get exceptions regarding # all checkpoint operations try: # Login to SMS: login_res = client.login(settings.sms_username, settings.sms_password) # If login is not successful, raise an error message. if login_res.success is False: raise Exception(Const.ERROR_LOGIN_FALED) else: # Displays a message that we # successfully connected to the sms display( Const.MESSAGE_CONNECTION_SMS_SUCCESSFULL.format( settings.sms_ip)) # Iterate through each row # in the excel table # Index is not used here but should # NOT BE REMOVED for index, row in dataframe.iterrows(): object_name = row["Object Name"] object_ip = row["Object IP"] object_groups = str(row["Object Groups"]).split(";") # Creates the object # and returns an Object object object_created = create_object(client, object_name, object_ip) # Assign object to group object_assignment(client, object_created, object_groups) # Publish the session publish(client) except Exception as e: # Prints the error message # and starts discarding the session display(Const.ERROR_INTERNAL.format(e)) display(Const.MESSAGE_SESSION_DISCARDING) # Discard the active session discard(client) exit(1) except Exception as e: # Prints the error message display(Const.ERROR_INTERNAL.format(e)) exit(1)
def add(): username, password = util.get_access_credentials() client_args = APIClientArgs() with APIClient(client_args) as client: # The API client, would look for the server's certificate SHA1 fingerprint in a file. # If the fingerprint is not found on the file, it will ask the user if he accepts the server's fingerprint. # In case the user does not accept the fingerprint, exit the program. if client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) # login to server: login_res = client.login(username, password) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) session_id = login_res.data['uid'] rule_name = "WEB_API-RULE" for index_port in range(_PORT, _PORT + 3000): source = 'NG-1' destination = 'NG-2' # add a rule to the top of the "Network" layer add_rule_response = client.api_call( "add-access-rule", { "name": rule_name, "layer": "Network", "source": source, "destination": destination, "action": "Accept", "service": 'TCP-' + str(index_port), "track": { "type": "Log" }, "position": "top" }) if add_rule_response.success: print("Rule for port '{}' has been added successfully".format( index_port)) else: print("Failed to add the access-rule: '{}', Error:\n{}".format( rule_name, add_rule_response.error_message)) print("[{}] {}: {}".format(add_rule_response.status_code, add_rule_response.data['code'], add_rule_response.data['message'])) print( "Now, publishing the result ... REMEMBER session_id: {}!!!".format( session_id)) # publish the result response = client.api_call("publish", {}) if response.success: print("The changes were published successfully.") else: print("Failed to publish the changes.") print("Now, validating the policy ...") # Verifies the policy package response = client.api_call("verify-policy", {"policy-package": "standard"}) if response.success: print("The rule were verified successfully.\n{}".format( response.data)) else: print("Failed to publish the changes.")
def main(): # getting details from the user results = argpar.parse_args() api_server = results.management user = results.username password = results.password port = results.port gdomain = results.globaldomain if not user: user = input("Username:"******"Management IP:") if not password: password = getpass.getpass("Enter password: "******"Global domain name:") client_args = APIClientArgs(server=api_server) with APIClient(client_args) as client: if client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) login_res = client.login(user, password) if login_res.success is False: print("Login failed: {}".format(login_res.error_message)) exit(1) objects_dict = dict() obj_type = ["group", 'network', 'host', 'address-range'] # obj_type = ["group"] domains = client.api_query("show-domains") client.api_call("logout") domains_list = list() for domain in domains.data: domains_list.append(domain['name']) print(domains_list) login_res = client.login(user, password, domain=gdomain) if login_res.success is False: print("Login failed: {}".format(login_res.error_message)) exit(1) for obj_typ in obj_type: list_all = dict() print("Working on: ", obj_typ) global_type = client.api_query("show-" + obj_typ + "s", "standard") print("Total amount: ", global_type.data.__len__()) for item in global_type.data: list_all[item['uid']] = [item['name'], item['domain']['name']] objects_dict[obj_typ] = list_all domain = "global" for k, v in objects_dict.items(): fout = open(domain + "_" + k + ".csv", 'w') for x, y in v.items(): fout.write("{};{}\r".format(x, y)) fout.close() client.api_call("logout") results_csv = open('results.csv', 'w') results_csv.write(obj_typ + ",occurencies,object_name,uid\r") usage_obj_counter_result = list() for domain in domains_list: for obj_typ, type_objects in objects_dict.items(): usage_obj_counter = where_global_used(client, user, password, type_objects, domain) print("done with ", obj_typ, "on", domain) usage_obj_counter_result += usage_obj_counter summary = (Counter(usage_obj_counter_result)) for uid, hitcount in summary.items(): if hitcount > (len(domains_list) - 2): if type_objects.get(uid): cli_command = "delete {} uid {}".format( obj_typ, uid) results_csv.write(obj_typ + "," + str(hitcount) + "," + type_objects[uid][0] + "," + uid + "," + cli_command + "\r") results_csv.close()
def main(): global DATETIME_NOW print() # Store output file information, will be serialize to JSON file plan = {} # Parse user arguments user_args = parse_arguments() client_args = APIClientArgs(server=user_args.management, port=user_args.port) with APIClient(client_args) as client: # The API client, would look for the server's certificate SHA1 fingerprint in a file. # If the fingerprint is not found on the file, it will ask the user if he accepts the server's fingerprint. # In case the user does not accept the fingerprint, exit the program. if client.check_fingerprint() is False: print_msg("Could not get the server's fingerprint - Check connectivity with the server.") exit(1) # Login to server, (read-only in non-apply operations) login(user_args, client) # Get global thresholds (disable & delete) global_thresholds = get_global_thresholds() # Check if running on MDS and didn't supply domain check_validation_for_mds(client, user_args.domain) # Plan if is_plan(user_args): print_msg("Plan") # Store list of all packages information that we should run on plan['packages'] = packages_to_run(user_args.package, client) # If management hit count flag in off, hits won't be counted - exit mgmt_hitcount_on(client, plan['packages'][0]["domain"]) # Pre-processing to calculate all invalid targets print_msg("Validate targets") valid_targets = valid_packages_targets(plan['packages'], client) groups = get_groups(client) for package in plan.get('packages'): # Skip invalid packages (all installation targets are invalid) if validate_package(package, valid_targets) is False: continue print_msg("Package {}".format(package['name'])) # Loop over policy layers for layer in package.get('access-layers'): print_msg(" Layer {}".format(layer['name'])) # Skip invalid layers (global layers) if validate_layer(layer) is False: continue layer['skipped-rules'] = [] layer['disable-rules'] = [] layer['delete-rules'] = [] sub_dictionary = {} show_access_rulebase_res = show_access_rulebase(layer, client) object_dictionary_as_map = get_object_dictionary(show_access_rulebase_res) # Get full rule-base as a list of rules rulebase = get_rulebase(show_access_rulebase_res) if rulebase is None: continue # Loop over layer rules for rule in rulebase: # Rule is enabled if rule.get('enabled') is True: # Skip rule with invalid target in install-on list OR rule modify after installation if validate_rule(rule, package, valid_targets, client, groups) is False: if 'skipped-reason' in rule: layer['skipped-rules'].append(rule) continue # Check if rule should be disabled - no hits for too long if rule_should_be_disabled(rule, global_thresholds) is True: objects_of_rule_to_add = get_objects_of_rule_from_objects_dictionary(rule, object_dictionary_as_map) sub_dictionary = add_to_sub_dictionary(objects_of_rule_to_add, sub_dictionary) # Add to plan that the rule should be disabled layer['disable-rules'].append(rule) # Rule is disabled else: # check if the rule should be deleted - disabled too long if rule_should_be_deleted(rule, global_thresholds) is True: objects_of_rule_to_add = get_objects_of_rule_from_objects_dictionary(rule, object_dictionary_as_map) sub_dictionary = add_to_sub_dictionary(objects_of_rule_to_add, sub_dictionary) # Add to plan that the rule should be deleted layer['delete-rules'].append(rule) layer['objects-dictionary'] = parse_sub_objects_dictionary_map_to_list_of_value(sub_dictionary) summary = {}; plan = build_output_structure(plan, summary, user_args.operation) if valid_targets['packages-targets']: print_summary(summary) # Write plan to log file in JSON format write_plan_json(plan, user_args.output_file) print_msg('Plan process has finished.\n') print_msg('The output file in: {}'.format(os.path.abspath(user_args.output_file))) # Get plan-file path as argument else: plan = read_plan_json(user_args.import_plan_file) # Apply plan only when the operation is apply/apply_without_publish if is_apply_operation(user_args.operation) is True: print() print_msg("Apply plan") # Disable & Delete rules by the plan. If apply failed in one of them - stop and discard changes if apply_plan(client, plan) is False: print_msg("Discard") discard_res = client.api_call("discard") is_failure("Failed to discard changes.", discard_res) print() exit(1) # Publish changes only when the operation is apply if is_publish_operation(user_args.operation): print_msg("Publish") publish_res = client.api_call("publish") is_failure("Failed to publish changes.", publish_res) else: print_msg("Continue session in smartconsole") continue_smartconsole_res = client.api_call("continue-session-in-smartconsole") is_failure("Failed to continue session in smartconsole.", continue_smartconsole_res) print_msg('Apply process has finished successfully.') print()
def main(): global was_changed # Initializing parameters to variables: command = module.params["command"] parameters = module.params.get("parameters") session_data = module.params.get("session-data") fingerprint = module.params.get("fingerprint") context = module.params.get("context") api_version = module.params.get("api_version") if parameters: parameters = parameters.replace("None", "null") parameters = parameters.replace("'", '"') # The following replace method must be the last replace option!!! # This is intended for running run-script API command in CLISH mode, where the "'" character is required inside the script parameter. # Example: "clish -c 'show core-dump status'" # For such case, the YML must be in the following format: 'clish -c \"show core-dump status\"' parameters = parameters.replace("\\\\\"", "'") parameters = parameters.replace("True", "true") parameters = parameters.replace("False", "false") # Finally, parse to JSON parameters = json.loads(parameters) if command == "login": # Login parameters: username = parameters.get("user", parameters.get("username")) password = parameters.get("pass", parameters.get("password")) management = parameters.get("management", "127.0.0.1") port = parameters.get("port", 443) domain = parameters.get("domain") session_timeout = parameters.get("session-timeout", 600) payload = {"session-timeout": session_timeout} client_args = APIClientArgs(server=management, port=port, context=context, api_version=api_version) client = APIClient(client_args) # Validate fingerprint: validate_fingerprint(client, fingerprint) # Tries to login: client.login(username=username, password=password, domain=domain, payload=payload) # Building a session data object session_data = { "url": management + ":" + str(port), "domain": domain, "sid": client.sid, "fingerprint": client.fingerprint, "context": client.context, "api_version": client.api_version } resp = session_data else: # Parsing the session-data argument: try: session_data = ast.literal_eval(session_data)["response"] except (ValueError, KeyError): if not session_data: error("You must specify session-data for commands that are not login (use the command \"login\"" " to obtain the session data).") else: error("session-data variable is invalid.") session_id = session_data["sid"] domain = session_data["domain"] context = session_data["context"] if api_version is None: api_version = session_data["api_version"] management = session_data["url"].split('//')[1].split('/')[0].split(':')[0] if '//' in session_data["url"] else \ session_data["url"].split('/')[0].split(':')[0] if '//' in session_data["url"] and len(session_data["url"].split('//')[1].split('/')[0].split(':')) > 1 and is_int(session_data["url"].split('//')[1].split('/')[0].split(':')[1]): port = int(session_data["url"].split('//')[1].split('/')[0].split(':')[1]) elif len(session_data["url"].split('/')[0].split(':')) > 1 and is_int(session_data["url"].split('/')[0].split(':')[1]): port = int(session_data["url"].split('/')[0].split(':')[1]) else: port = 443 fingerprint = session_data["fingerprint"] client_args = APIClientArgs(server=management, port=port, sid=session_id, context=context, api_version=api_version) client = APIClient(client_args) client.domain = domain validate_fingerprint(client, fingerprint) # Doesn't run commands that act immediately (not waiting for 'publish'), like install-policy, publish, etc. if module.check_mode and command in unavailable_in_check_commands: error("Can't run the following commands in check mode: " + str(unavailable_in_check_commands) + ". Know that your script ran fine up to this point " + ("and we've discarded the changes made, you can now run it without check mode." if command == "publish" else "and we are skipping this command."), client=client if command == "publish" else None, discard=True, logout=False, exit=True, fail=False) if command == "install-policy" and module.check_mode: command = "verify-policy" parameters = {"policy-package": parameters["policy-package"]} # Run the command: res = client.api_call(command=command, payload=parameters) if command.split("-")[0] in ["add", "delete", "set"] and res.success and not module.check_mode: was_changed = True if not res.success: error("Command '{} {}' failed{}. All changes are discarded and the session is invalidated." .format(command, parameters, " with error message: " + str(res.error_message) if hasattr(res, "error_message") else ""), client=client) resp = res.data module.exit_json(response=resp, changed=was_changed)