From 4d636b47942c11e74c8cd88f3c229eb70016de81 Mon Sep 17 00:00:00 2001 From: Tim Purschke Date: Wed, 26 Apr 2023 16:14:56 +0200 Subject: [PATCH 1/3] adding application sites adds almost 10.000 service objects try to use this only if application-site-categories are used? --- .../checkpoint/api-calls-used.md | 38 +++++++++++++++++++ .../{cp-manager-api-howto.md => readme.md} | 0 .../importer/firewall-APIs/checkpoint/todo.md | 15 -------- documentation/importer/readme.md | 38 ++++++++----------- .../files/importer/checkpointR8x/cp_const.py | 5 ++- .../importer/checkpointR8x/parse_service.py | 2 +- roles/importer/files/importer/import-mgm.py | 2 +- 7 files changed, 58 insertions(+), 42 deletions(-) create mode 100644 documentation/developer-docs/importer/firewall-APIs/checkpoint/api-calls-used.md rename documentation/developer-docs/importer/firewall-APIs/checkpoint/{cp-manager-api-howto.md => readme.md} (100%) delete mode 100644 documentation/developer-docs/importer/firewall-APIs/checkpoint/todo.md diff --git a/documentation/developer-docs/importer/firewall-APIs/checkpoint/api-calls-used.md b/documentation/developer-docs/importer/firewall-APIs/checkpoint/api-calls-used.md new file mode 100644 index 000000000..1b6c523f7 --- /dev/null +++ b/documentation/developer-docs/importer/firewall-APIs/checkpoint/api-calls-used.md @@ -0,0 +1,38 @@ +# API feature support + +Firewall Orchestrator uses the following Check Point API calls, which are available from CP API 1.3 - R80.20, +which is the earliest version supported by Firewall Orchestrator. + +See also https://sc1.checkpoint.com/documents/latest/APIs/ + +``` +show-api-versions +show-access-rulebase +show-address-ranges +show-application-site-categories +show-application-sites +show-changes +show-dns-domains +show-gateways-and-servers +show-groups +show-groups-with-exclusion +show-hosts +show-multicast-address-ranges +show-nat-rulebase +show-networks +show-object +show-packages +show-services-tcp +show-services-udp +show-services-dce-rpc +show-services-rpc +show-services-other +show-services-icmp +show-services-icmp6 +show-services-sctp +show-services-gtp +show-service-groups +show-simple-gateways +show-task +show-updatable-objects-repository-content +``` diff --git a/documentation/developer-docs/importer/firewall-APIs/checkpoint/cp-manager-api-howto.md b/documentation/developer-docs/importer/firewall-APIs/checkpoint/readme.md similarity index 100% rename from documentation/developer-docs/importer/firewall-APIs/checkpoint/cp-manager-api-howto.md rename to documentation/developer-docs/importer/firewall-APIs/checkpoint/readme.md diff --git a/documentation/developer-docs/importer/firewall-APIs/checkpoint/todo.md b/documentation/developer-docs/importer/firewall-APIs/checkpoint/todo.md deleted file mode 100644 index e0ff4f331..000000000 --- a/documentation/developer-docs/importer/firewall-APIs/checkpoint/todo.md +++ /dev/null @@ -1,15 +0,0 @@ - -# Check Point R8x API enhancement ideas - -a) increase api access speed -```console -[--sync] {true|false} - Synchronous execution of task - commands that generate the task will wait until the task is finished. - Default {true} - Environment variable: MGMT_CLI_SYNC -``` -b) add 2FA -```console - mgmt_cli login --client-cert path-to-certificate-file.p12 password secret -``` -c) Get OS information from CP gateway via API, see sk143612 \ No newline at end of file diff --git a/documentation/importer/readme.md b/documentation/importer/readme.md index 0c7c809bc..da60c9873 100644 --- a/documentation/importer/readme.md +++ b/documentation/importer/readme.md @@ -24,10 +24,8 @@ need to change import id in all csv-files to next id, e.g.: ## python importer ```console -fworch@fwodemo:~/importer$ ./import-mgm.py --help -usage: import-mgm.py [-h] -m management_id [-c] [-f] [-d debug_level] - [-x proxy_string] [-s ssl_verification_mode] - [-l api_limit] [-i config_file_input] +user@test:~$ ./import-mgm.py --help +usage: import-mgm.py [-h] -m management_id [-c] [-f] [-d debug_level] [-v] [-s] [-l api_limit] [-i config_file_input] [-n config_file_normalized_input] Read configuration from FW management via API calls @@ -35,26 +33,20 @@ optional arguments: -h, --help show this help message and exit -m management_id, --mgm_id management_id FWORCH DB ID of the management server to import - -c, --clear If set the import will delete all data for the given - management instead of importing - -f, --force If set the import will be attempted without checking - for changes before + -c, --clear If set the import will delete all data for the given management instead of importing + -f, --force If set the import will be attempted without checking for changes before -d debug_level, --debug debug_level - Debug Level: 0=off, 1=send debug to console, 2=send - debug to file, 3=save noramlized config file; - 4=additionally save native config file; default=0. - config files are saved to $FWORCH/tmp/import dir - -x proxy_string, --proxy proxy_string - proxy server string to use, e.g. http://1.2.3.4:8080 - -s ssl_verification_mode, --ssl ssl_verification_mode - [ca]certfile, if value not set, ssl check is off"; - default=empty/off + Debug Level: 0=off, 1=send debug to console, 2=send debug to file, 3=save noramlized config file; 4=additionally save native config file; default=0. config + files are saved to $FWORCH/tmp/import dir + -v, --verify_certificates + verify certificates + -s, --suppress_certificate_warnings + suppress certificate warnings -l api_limit, --limit api_limit - The maximal number of returned results per HTTPS - Connection; default=150 + The maximal number of returned results per HTTPS Connection; default=150 -i config_file_input, --in_file config_file_input - if set, the config will not be fetched from firewall - but read from native json config file specified here; - may also be an url. -fworch@fwodemo:~/importer$ + if set, the config will not be fetched from firewall but read from native json config file specified here; may also be an url. + -n config_file_normalized_input, --normalized_in_file config_file_normalized_input + if set, the config will not be fetched from firewall but read from normalized json config file specified here; may also be an url. +user@test:~$ ``` diff --git a/roles/importer/files/importer/checkpointR8x/cp_const.py b/roles/importer/files/importer/checkpointR8x/cp_const.py index 417a6f0a2..2f1ac05c9 100644 --- a/roles/importer/files/importer/checkpointR8x/cp_const.py +++ b/roles/importer/files/importer/checkpointR8x/cp_const.py @@ -13,7 +13,8 @@ # simple as in: no groups simple_svc_obj_types = ['services-tcp', 'services-udp', 'services-dce-rpc', 'services-rpc', 'services-other', 'services-icmp', 'services-icmp6', 'services-sctp', 'services-gtp'] -svc_obj_types = ['service-groups', 'application-site-categories'] + simple_svc_obj_types +group_svc_obj_types = ['service-groups', 'application-site-categories', 'application-sites'] +svc_obj_types = group_svc_obj_types + simple_svc_obj_types cp_specific_object_types = [ # used for fetching enrichment data via "get object" separately (no specific API call) 'simple-gateway', 'simple-cluster', 'CpmiVsClusterNetobj', 'CpmiVsxClusterNetobj', 'CpmiVsxClusterMember', @@ -23,7 +24,7 @@ nw_obj_table_names = [ 'hosts', 'networks', 'groups', 'address-ranges', 'multicast-address-ranges', 'groups-with-exclusion', 'gateways-and-servers', 'simple-gateways', - 'CpmiGatewayPlain', 'CpmiAnyObject', 'dns-domains', 'updatable-objects-repository-content' + 'dns-domains', 'updatable-objects-repository-content' ] svc_obj_table_names = svc_obj_types + [ 'CpmiAnyObject' ] # usr_obj_table_names : do not exist yet - not fetchable via API diff --git a/roles/importer/files/importer/checkpointR8x/parse_service.py b/roles/importer/files/importer/checkpointR8x/parse_service.py index ec2355b3d..2302c8e8b 100644 --- a/roles/importer/files/importer/checkpointR8x/parse_service.py +++ b/roles/importer/files/importer/checkpointR8x/parse_service.py @@ -14,7 +14,7 @@ def collect_svc_objects(object_table, svc_objects): if object_table['object_type'] in cp_const.svc_obj_table_names: session_timeout = '' typ = 'undef' - if object_table['object_type'] == 'service-groups' or object_table['object_type'] == 'application-site-categories': + if object_table['object_type'] in cp_const.group_svc_obj_types: typ = 'group' if object_table['object_type'] in cp_const.simple_svc_obj_types: typ = 'simple' diff --git a/roles/importer/files/importer/import-mgm.py b/roles/importer/files/importer/import-mgm.py index 5e650e13f..ddbf1169d 100755 --- a/roles/importer/files/importer/import-mgm.py +++ b/roles/importer/files/importer/import-mgm.py @@ -16,7 +16,7 @@ parser.add_argument('-c', '--clear', action='store_true', default=False, help='If set the import will delete all data for the given management instead of importing') parser.add_argument('-f', '--force', action='store_true', default=False, - help='If set the import will be attempted without checking for changes before') + help='If set the import will be attempted without checking for changes or if the importer module is the one defined') parser.add_argument('-d', '--debug', metavar='debug_level', default='0', help='Debug Level: 0=off, 1=send debug to console, 2=send debug to file, 3=save noramlized config file; 4=additionally save native config file; default=0. \n' +\ 'config files are saved to $FWORCH/tmp/import dir') From cc3793a53c98759e0e86b0971c749d213e82a33b Mon Sep 17 00:00:00 2001 From: Tim Purschke Date: Thu, 27 Apr 2023 09:35:18 +0200 Subject: [PATCH 2/3] version to 6.3.1 --- documentation/revision-history.md | 3 +++ inventory/group_vars/all.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/documentation/revision-history.md b/documentation/revision-history.md index ae3358b48..5ce160c03 100644 --- a/documentation/revision-history.md +++ b/documentation/revision-history.md @@ -289,3 +289,6 @@ adding report template format fk and permissions - application categories - updatable objects - domain names + +### 6.3.1 27.04.2023 MAIN +- hotfix adding CP R8X object type application site diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml index 2d2dce17f..59240621b 100644 --- a/inventory/group_vars/all.yml +++ b/inventory/group_vars/all.yml @@ -1,5 +1,5 @@ ### general settings -product_version: "6.3" +product_version: "6.3.1" ansible_user: "{{ lookup('env', 'USER') }}" ansible_become_method: sudo ansible_python_interpreter: /usr/bin/python3 From 037f54a89fad3a1ac3cf71a702cb4c7742b7eadd Mon Sep 17 00:00:00 2001 From: Tim Purschke Date: Thu, 27 Apr 2023 09:47:14 +0200 Subject: [PATCH 3/3] cosmetics --- .../files/importer/checkpointR8x/cp_const.py | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/roles/importer/files/importer/checkpointR8x/cp_const.py b/roles/importer/files/importer/checkpointR8x/cp_const.py index 2f1ac05c9..e44efd6e3 100644 --- a/roles/importer/files/importer/checkpointR8x/cp_const.py +++ b/roles/importer/files/importer/checkpointR8x/cp_const.py @@ -10,23 +10,25 @@ original_obj_uid = "85c0f50f-6d8a-4528-88ab-5fb11d8fe16c" # used for nat only (both svc and nw obj) + +nw_obj_table_names = [ + 'hosts', 'networks', 'groups', 'address-ranges', 'multicast-address-ranges', 'groups-with-exclusion', + 'gateways-and-servers', 'simple-gateways', + 'dns-domains', 'updatable-objects-repository-content' +] + # simple as in: no groups simple_svc_obj_types = ['services-tcp', 'services-udp', 'services-dce-rpc', 'services-rpc', 'services-other', 'services-icmp', 'services-icmp6', 'services-sctp', 'services-gtp'] group_svc_obj_types = ['service-groups', 'application-site-categories', 'application-sites'] -svc_obj_types = group_svc_obj_types + simple_svc_obj_types + +svc_obj_table_names = group_svc_obj_types + simple_svc_obj_types + [ 'CpmiAnyObject' ] +# usr_obj_table_names : do not exist yet - not fetchable via API + +api_obj_types = nw_obj_table_names + svc_obj_table_names # all obj table names to look at during import cp_specific_object_types = [ # used for fetching enrichment data via "get object" separately (no specific API call) 'simple-gateway', 'simple-cluster', 'CpmiVsClusterNetobj', 'CpmiVsxClusterNetobj', 'CpmiVsxClusterMember', 'CpmiAnyObject', 'CpmiClusterMember', 'CpmiGatewayPlain', 'CpmiHostCkp', 'CpmiGatewayCluster', 'checkpoint-host', 'cluster-member' ] -nw_obj_table_names = [ - 'hosts', 'networks', 'groups', 'address-ranges', 'multicast-address-ranges', 'groups-with-exclusion', - 'gateways-and-servers', 'simple-gateways', - 'dns-domains', 'updatable-objects-repository-content' -] -svc_obj_table_names = svc_obj_types + [ 'CpmiAnyObject' ] -# usr_obj_table_names : do not exist yet - not fetchable via API - -api_obj_types = nw_obj_table_names + svc_obj_table_names # all obj table names to look at during import