Merge pull request #2050 from CactuseSecurity/develop

Develop to Main v6.3.1
CactuseSecurity · Apr 27, 2023 · f34f062 · f34f062
2 parents b526d40 + c1677d0
commit f34f062
Show file tree

Hide file tree

Showing 9 changed files with 72 additions and 51 deletions.
diff --git a/documentation/developer-docs/importer/firewall-APIs/checkpoint/api-calls-used.md b/documentation/developer-docs/importer/firewall-APIs/checkpoint/api-calls-used.md
@@ -0,0 +1,38 @@
+# API feature support
+
+Firewall Orchestrator uses the following Check Point API calls, which are available from CP API 1.3 - R80.20,
+which is the earliest version supported by Firewall Orchestrator.
+
+See also https://sc1.checkpoint.com/documents/latest/APIs/
+
+```
+show-api-versions
+show-access-rulebase
+show-address-ranges
+show-application-site-categories
+show-application-sites
+show-changes
+show-dns-domains
+show-gateways-and-servers
+show-groups
+show-groups-with-exclusion
+show-hosts
+show-multicast-address-ranges
+show-nat-rulebase
+show-networks
+show-object
+show-packages
+show-services-tcp
+show-services-udp
+show-services-dce-rpc
+show-services-rpc
+show-services-other
+show-services-icmp
+show-services-icmp6
+show-services-sctp
+show-services-gtp
+show-service-groups
+show-simple-gateways
+show-task
+show-updatable-objects-repository-content
+```
diff --git a/...l-APIs/checkpoint/cp-manager-api-howto.md → ...porter/firewall-APIs/checkpoint/readme.md b/...l-APIs/checkpoint/cp-manager-api-howto.md → ...porter/firewall-APIs/checkpoint/readme.md
diff --git a/documentation/developer-docs/importer/firewall-APIs/checkpoint/todo.md b/documentation/developer-docs/importer/firewall-APIs/checkpoint/todo.md
diff --git a/documentation/importer/readme.md b/documentation/importer/readme.md
@@ -24,37 +24,29 @@ need to change import id in all csv-files to next id, e.g.:
 ## python importer
 
 ```console
-fworch@fwodemo:~/importer$ ./import-mgm.py --help
-usage: import-mgm.py [-h] -m management_id [-c] [-f] [-d debug_level]
-                     [-x proxy_string] [-s ssl_verification_mode]
-                     [-l api_limit] [-i config_file_input]
+user@test:~$ ./import-mgm.py --help
+usage: import-mgm.py [-h] -m management_id [-c] [-f] [-d debug_level] [-v] [-s] [-l api_limit] [-i config_file_input] [-n config_file_normalized_input]
 
 Read configuration from FW management via API calls
 
 optional arguments:
   -h, --help            show this help message and exit
   -m management_id, --mgm_id management_id
                         FWORCH DB ID of the management server to import
-  -c, --clear           If set the import will delete all data for the given
-                        management instead of importing
-  -f, --force           If set the import will be attempted without checking
-                        for changes before
+  -c, --clear           If set the import will delete all data for the given management instead of importing
+  -f, --force           If set the import will be attempted without checking for changes before
   -d debug_level, --debug debug_level
-                        Debug Level: 0=off, 1=send debug to console, 2=send
-                        debug to file, 3=save noramlized config file;
-                        4=additionally save native config file; default=0.
-                        config files are saved to $FWORCH/tmp/import dir
-  -x proxy_string, --proxy proxy_string
-                        proxy server string to use, e.g. http://1.2.3.4:8080
-  -s ssl_verification_mode, --ssl ssl_verification_mode
-                        [ca]certfile, if value not set, ssl check is off";
-                        default=empty/off
+                        Debug Level: 0=off, 1=send debug to console, 2=send debug to file, 3=save noramlized config file; 4=additionally save native config file; default=0. config
+                        files are saved to $FWORCH/tmp/import dir
+  -v, --verify_certificates
+                        verify certificates
+  -s, --suppress_certificate_warnings
+                        suppress certificate warnings
   -l api_limit, --limit api_limit
-                        The maximal number of returned results per HTTPS
-                        Connection; default=150
+                        The maximal number of returned results per HTTPS Connection; default=150
   -i config_file_input, --in_file config_file_input
-                        if set, the config will not be fetched from firewall
-                        but read from native json config file specified here;
-                        may also be an url.
-fworch@fwodemo:~/importer$ 
+                        if set, the config will not be fetched from firewall but read from native json config file specified here; may also be an url.
+  -n config_file_normalized_input, --normalized_in_file config_file_normalized_input
+                        if set, the config will not be fetched from firewall but read from normalized json config file specified here; may also be an url.
+user@test:~$ 
 ```
diff --git a/documentation/revision-history.md b/documentation/revision-history.md
@@ -289,3 +289,6 @@ adding report template format fk and permissions
   - application categories
   - updatable objects
   - domain names
+
+### 6.3.1 27.04.2023 MAIN
+- hotfix adding CP R8X object type application site
diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
@@ -1,5 +1,5 @@
 ### general settings
-product_version: "6.3"
+product_version: "6.3.1"
 ansible_user: "{{ lookup('env', 'USER') }}"
 ansible_become_method: sudo
 ansible_python_interpreter: /usr/bin/python3

diff --git a/roles/importer/files/importer/checkpointR8x/cp_const.py b/roles/importer/files/importer/checkpointR8x/cp_const.py
@@ -10,22 +10,25 @@
 original_obj_uid = "85c0f50f-6d8a-4528-88ab-5fb11d8fe16c"
 # used for nat only (both svc and nw obj)
 
+
+nw_obj_table_names = [
+    'hosts', 'networks', 'groups', 'address-ranges', 'multicast-address-ranges', 'groups-with-exclusion', 
+    'gateways-and-servers', 'simple-gateways', 
+    'dns-domains', 'updatable-objects-repository-content'
+]
+
 # simple as in: no groups
 simple_svc_obj_types = ['services-tcp', 'services-udp', 'services-dce-rpc', 'services-rpc', 'services-other', 
                         'services-icmp', 'services-icmp6', 'services-sctp', 'services-gtp']
-svc_obj_types = ['service-groups', 'application-site-categories'] + simple_svc_obj_types
+group_svc_obj_types = ['service-groups', 'application-site-categories', 'application-sites']
+
+svc_obj_table_names = group_svc_obj_types + simple_svc_obj_types + [ 'CpmiAnyObject' ]
+# usr_obj_table_names : do not exist yet - not fetchable via API
+
+api_obj_types = nw_obj_table_names + svc_obj_table_names  # all obj table names to look at during import
 
 cp_specific_object_types = [    # used for fetching enrichment data via "get object" separately (no specific API call)
     'simple-gateway', 'simple-cluster', 'CpmiVsClusterNetobj', 'CpmiVsxClusterNetobj', 'CpmiVsxClusterMember', 
     'CpmiAnyObject', 'CpmiClusterMember', 'CpmiGatewayPlain', 'CpmiHostCkp', 'CpmiGatewayCluster', 'checkpoint-host', 
     'cluster-member'
 ]
-nw_obj_table_names = [
-    'hosts', 'networks', 'groups', 'address-ranges', 'multicast-address-ranges', 'groups-with-exclusion', 
-    'gateways-and-servers', 'simple-gateways', 
-    'CpmiGatewayPlain', 'CpmiAnyObject', 'dns-domains', 'updatable-objects-repository-content'
-]
-svc_obj_table_names = svc_obj_types + [ 'CpmiAnyObject' ]
-# usr_obj_table_names : do not exist yet - not fetchable via API
-
-api_obj_types = nw_obj_table_names + svc_obj_table_names  # all obj table names to look at during import
diff --git a/roles/importer/files/importer/checkpointR8x/parse_service.py b/roles/importer/files/importer/checkpointR8x/parse_service.py
@@ -14,7 +14,7 @@ def collect_svc_objects(object_table, svc_objects):
     if object_table['object_type'] in cp_const.svc_obj_table_names:
         session_timeout = ''
         typ = 'undef'
-        if object_table['object_type'] == 'service-groups' or object_table['object_type'] == 'application-site-categories':
+        if object_table['object_type'] in cp_const.group_svc_obj_types:
             typ = 'group'
         if object_table['object_type'] in cp_const.simple_svc_obj_types:
             typ = 'simple'

diff --git a/roles/importer/files/importer/import-mgm.py b/roles/importer/files/importer/import-mgm.py
@@ -16,7 +16,7 @@
     parser.add_argument('-c', '--clear', action='store_true', default=False,
                         help='If set the import will delete all data for the given management instead of importing')
     parser.add_argument('-f', '--force', action='store_true', default=False,
-                        help='If set the import will be attempted without checking for changes before')
+                        help='If set the import will be attempted without checking for changes or if the importer module is the one defined')
     parser.add_argument('-d', '--debug', metavar='debug_level', default='0',
                         help='Debug Level: 0=off, 1=send debug to console, 2=send debug to file, 3=save noramlized config file; 4=additionally save native config file; default=0. \n' +\
                             'config files are saved to $FWORCH/tmp/import dir')