From aece863458ff50ee9e4c1179992ce3544bf5c8b1 Mon Sep 17 00:00:00 2001 From: mischa Date: Tue, 21 Jun 2022 18:10:54 +0200 Subject: [PATCH] extra config options --- config/chkpfwservices1.txt | 12 +-- config/chkpfwservices2.txt | 46 ++++++++++++ config/chkpfwservices3.txt | 46 ++++++++++++ config/demo-chkp.cnf | 148 +++++++++++++++++++++++++++++++++++++ config/single.cnf | 2 +- example.cnf | 5 ++ push-debug.py | 104 ++++++++++++++++---------- 7 files changed, 320 insertions(+), 43 deletions(-) create mode 100644 config/chkpfwservices2.txt create mode 100644 config/chkpfwservices3.txt create mode 100644 config/demo-chkp.cnf diff --git a/config/chkpfwservices1.txt b/config/chkpfwservices1.txt index 7a835a6..57e6825 100644 --- a/config/chkpfwservices1.txt +++ b/config/chkpfwservices1.txt @@ -1,14 +1,16 @@ { - "name": "FW1", + "name": "FW1-1", "cxp": "US-EAST-2", "segments": [ "Corporate" ], "segmentOptions": { "Corporate": { - "DEFAULT": [ - "Users" - ] + "zonesToGroups" : { + "DEFAULT": [ + "Users" + ] + } } }, "size": "LARGE", @@ -27,7 +29,7 @@ "domain": "", "segment": "Corporate", "segmentId": 1636, - "globalCidrListId": "58" + "globalCidrListId": "" }, "tunnelProtocol": "IPSEC", "instances": [ diff --git a/config/chkpfwservices2.txt b/config/chkpfwservices2.txt new file mode 100644 index 0000000..bed2bb5 --- /dev/null +++ b/config/chkpfwservices2.txt @@ -0,0 +1,46 @@ +{ + "name": "FW1-2", + "cxp": "US-EAST-2", + "segments": [ + "Prod" + ], + "segmentOptions": { + "Prod": { + "zonesToGroups" : { + "DEFAULT": [ + "Development" + ] + } + } + }, + "size": "LARGE", + "version": "R81", + "credentialId": "", + "autoScale": "OFF", + "maxInstanceCount": 1, + "minInstanceCount": 1, + "managementServer": { + "configurationMode": "MANUAL", + "type": "SMS", + "reachability": "PUBLIC", + "ips": [ + "10.1.1.1" + ], + "domain": "", + "segment": "Prod", + "segmentId": 1637, + "globalCidrListId": "" + }, + "tunnelProtocol": "IPSEC", + "instances": [ + { + "name": "FW1-instance-1", + "credentialId": "", + "cxp": "US-EAST-2" + } + ], + "licenseType": "PAY_AS_YOU_GO", + "billingTags": [ + "343" + ] +} diff --git a/config/chkpfwservices3.txt b/config/chkpfwservices3.txt new file mode 100644 index 0000000..afdc34b --- /dev/null +++ b/config/chkpfwservices3.txt @@ -0,0 +1,46 @@ +{ + "name": "FW1-3", + "cxp": "US-EAST-2", + "segments": [ + "Pre Prod" + ], + "segmentOptions": { + "Pre Prod": { + "zonesToGroups" : { + "DEFAULT": [ + "Development" + ] + } + } + }, + "size": "LARGE", + "version": "R81", + "credentialId": "", + "autoScale": "OFF", + "maxInstanceCount": 1, + "minInstanceCount": 1, + "managementServer": { + "configurationMode": "MANUAL", + "type": "SMS", + "reachability": "PUBLIC", + "ips": [ + "10.1.1.1" + ], + "domain": "", + "segment": "Pre Prod", + "segmentId": 1638, + "globalCidrListId": "" + }, + "tunnelProtocol": "IPSEC", + "instances": [ + { + "name": "FW1-instance-1", + "credentialId": "", + "cxp": "US-EAST-2" + } + ], + "licenseType": "PAY_AS_YOU_GO", + "billingTags": [ + "343" + ] +} diff --git a/config/demo-chkp.cnf b/config/demo-chkp.cnf new file mode 100644 index 0000000..0c1944c --- /dev/null +++ b/config/demo-chkp.cnf @@ -0,0 +1,148 @@ +[ipsecconnectors1] +cxp = US-EAST-2 +segments = Corporate +group = Users +billingtags = 333 +size = MEDIUM + +[ipsecconnectors2] +cxp = US-EAST-2 +segments = Prod +group = Development +billingtags = 343 +size = LARGE + +[ipsecconnectors3] +cxp = GERMANYWESTCENTRAL-AZURE-1 +segments = Corporate +group = Users +billingtags = 333 +size = MEDIUM + +[ipsecconnectors4] +cxp = GERMANYWESTCENTRAL-AZURE-1 +segments = Prod +group = Development +billingtags = 343 +size = LARGE + +[internetconnectors1] +cxp = US-EAST-2 +segments = Corporate +group = Users +billingtags = 333 +size = MEDIUM + +[internetconnectors2] +cxp = GERMANYWESTCENTRAL-AZURE-1 +segments = Prod +group = Development +billingtags = 343 +size = LARGE + +[awsvpcconnectors1] +cxp = US-EAST-2 +segments = Pre Prod +group = Development +billingtags = 343 +size = LARGE + +[awsvpcconnectors2] +cxp = US-EAST-2 +segments = Prod +group = Development +billingtags = 333 +size = LARGE + +[awsvpcconnectors3] +cxp = GERMANYWESTCENTRAL-AZURE-1 +segments = Prod +group = Development +billingtags = 343 +size = LARGE + +[awsvpcconnectors4] +cxp = GERMANYWESTCENTRAL-AZURE-1 +segments = Prod +group = Development +billingtags = 333 +size = LARGE + +[azurevnetconnectors1] +cxp = US-EAST-2 +segments = Corporate +group = Users +billingtags = 343 +size = MEDIUM + +[azurevnetconnectors2] +cxp = US-EAST-2 +segments = Corporate +group = Users +billingtags = 333 +size = MEDIUM + +[azurevnetconnectors3] +cxp = GERMANYWESTCENTRAL-AZURE-1 +segments = Corporate +group = Users +billingtags = 343 +size = MEDIUM + +[azurevnetconnectors4] +cxp = GERMANYWESTCENTRAL-AZURE-1 +segments = Corporate +group = Users +billingtags = 333 +size = MEDIUM + +[gcpvpcconnectors1] +cxp = US-EAST-2 +segments = Prod +group = Development +billingtags = 343 +size = LARGE + +[gcpvpcconnectors2] +cxp = US-EAST-2 +segments = Prod +group = Development +billingtags = 333 +size = LARGE + +[gcpvpcconnectors3] +cxp = GERMANYWESTCENTRAL-AZURE-1 +segments = Corporate +group = Users +billingtags = 343 +size = MEDIUM + +[gcpvpcconnectors4] +cxp = GERMANYWESTCENTRAL-AZURE-1 +segments = Corporate +group = Users +billingtags = 343 +size = MEDIUM + +[ocivcnconnectors1] +cxp = GERMANYWESTCENTRAL-AZURE-1 +segments = Corporate +group = Users +billingtags = 333 +size = MEDIUM + +[ocivcnconnectors2] +cxp = GERMANYWESTCENTRAL-AZURE-1 +segments = Prod +group = Development +billingtags = 343 +size = LARGE + +[chkpfwservices1.txt] +cxp = US-EAST-2 + +[chkpfwservices2.txt] +cxp = US-EAST-2 + +[chkpfwservices3.txt] +cxp = US-EAST-2 diff --git a/config/single.cnf b/config/single.cnf index 697f6c7..0f6227e 100644 --- a/config/single.cnf +++ b/config/single.cnf @@ -1,2 +1,2 @@ -[chkpfwservices1.txt] +[chkpfwservices3.txt] cxp = US-EAST-2 diff --git a/example.cnf b/example.cnf index 29c2ec4..2585b39 100644 --- a/example.cnf +++ b/example.cnf @@ -5,3 +5,8 @@ ALKIRA_PASSWORD = [services] SERVICE_USERNAME = admin SERVICE_PASSWORD = Blabla123 +[globalcidr] +CIDR_NAME = Global CIDR +CIDR_DESCR = Demo Prefix +CIDR_PREFIX = 100.64.0.0/24 +CIDR_CXP = US-EAST-2 diff --git a/push-debug.py b/push-debug.py index cdd5898..e28e821 100755 --- a/push-debug.py +++ b/push-debug.py @@ -41,7 +41,6 @@ try: args = parser.parse_args() ALKIRA_CONFIG = args.tenant json_file = args.file - except argparse.ArgumentError as e: print(str(e)) sys.exit() @@ -71,33 +70,48 @@ ALKIRA_TENANT = alkira.get('alkira', 'ALKIRA_TENANT') ALKIRA_USERNAME = alkira.get('alkira', 'ALKIRA_USERNAME') ALKIRA_PASSWORD = alkira.get('alkira', 'ALKIRA_PASSWORD') ALKIRA_BASE_URI = f'https://{ALKIRA_TENANT}/api' +SERVICE_USERNAME = alkira.get('services', 'SERVICE_USERNAME') +SERVICE_PASSWORD = alkira.get('services', 'SERVICE_PASSWORD') +CIDR_NAME = alkira.get('globalcidr', 'CIDR_NAME') +CIDR_DESCR = alkira.get('globalcidr', 'CIDR_DESCR') +CIDR_PREFIX = alkira.get('globalcidr', 'CIDR_PREFIX') +CIDR_CXP = alkira.get('globalcidr', 'CIDR_CXP') ############################################### # Set default headers headers = {'Content-Type': "application/json"} -# Naming exceptions +# URL Exceptions url_exceptions = { "saas": "internet", "pan": "panfw", - "ftntfw": "ftnt-fw-", "ftntfwservices": "ftnt-fw-services", - "chkpfw": "chkp-fw-", + "chkpfwservices": "chkp-fw-services", "ocivcnconnectors": "oci-vcn-connectors", "ftntfwservices": "ftnt-fw-services" } +# URL Exceptions creating credentials service_credentials = { "panfwservices": "pan", - "ftntfwservices": "ftntfw" + "ftntfwservices": "ftntfw", + "chkpfwservices": "chkp-fw" } +# URL Exceptions creating instance credentials service_instance_credentials = { - "ftntfwservices": "ftntfw-" + "ftntfwservices": "ftntfw-", + "chkpfwservices": "chkp-fw-" } +# Global CIDR +service_global_cidr = [ + "chkpfwservices" + ] + # Authenticate +logging.info('=== Authenticating') body = {'userName': ALKIRA_USERNAME, 'password': ALKIRA_PASSWORD} url = f'{ALKIRA_BASE_URI}/login' @@ -105,6 +119,7 @@ session = requests.session() response = session.post(url, data=json.dumps(body), headers=headers) # Get TenantID +logging.info('=== Fetching Tenant Info') url = f'{ALKIRA_BASE_URI}/tenantnetworks' response = session.get(url, headers=headers) data = response.json() @@ -113,49 +128,77 @@ tenantName = data[0]['name'] logging.info(f'Tenant Name: {tenantName}') logging.info(f'Tenant ID: {tenantNetworkId}') -# Do Things +# Push connector +logging.info('=== Push Connector') connector_result = re.match(r'(\w+)(\d+)', json_file) connector_name = connector_result.group(1) connector_number = connector_result.group(2) logging.debug(f'Connector Name: {connector_name} - Number: {connector_number}') if connector_name in service_credentials.keys(): + print('=== Create Credentials') credentials_url = service_credentials[connector_name] + fwcredential = f'fwcredentials-{time.time()}' body = { "credentials": { - "userName": "admin", - "password": "Blabla123" + "userName": SERVICE_USERNAME, + "password": SERVICE_PASSWORD }, - "name": "fwcredentials14" + "name": fwcredential } - if args.pretty: print(json.dumps(body, indent=4)) else: print(json.dumps(body)) - print('=== Create Credentials') url = f'{ALKIRA_BASE_URI}/credentials/{credentials_url}' + print(url) response = session.post(url, data=json.dumps(body), headers=headers) print(response.status_code) print(response.content) json_body = response.json() if response.status_code == 200: - fw_id = json_body['id'] - print(f'credentialId: {fw_id}') + service_credentialid = json_body['id'] + print(f'credentialId: {service_credentialid}') if connector_name in service_instance_credentials.keys(): credentials_url = service_instance_credentials[connector_name] print('=== Create Instance Credentials') url = f'{ALKIRA_BASE_URI}/credentials/{credentials_url}instance' + print(url) response = session.post(url, data=json.dumps(body), headers=headers) print(response.status_code) print(response.content) json_body = response.json() if response.status_code == 200: - instance_id = json_body['id'] - print(f'instance credentialId: {instance_id}') + service_instance_credentialid = json_body['id'] + print(f'instance credentialId: {service_instance_credentialid}') + +if connector_name in service_global_cidr: + print('=== Create Global CIDR') + body = { + "name": CIDR_NAME, + "description": CIDR_DESCR, + "values": [ + CIDR_PREFIX + ], + "cxp": CIDR_CXP + } + if args.pretty: + print(json.dumps(body, indent=4)) + else: + print(json.dumps(body)) + + url = f'{ALKIRA_BASE_URI}/tenantnetworks/{tenantNetworkId}/global-cidr-lists' + print(url) + response = session.post(url, data=json.dumps(body), headers=headers) + print(response.status_code) + print(response.content) + json_body = response.json() + if response.status_code == 201: + global_cidr_id = json_body['id'] + print(f'global cidr id: {global_cidr_id}') with open (json_file, 'r') as f: body = json.load(f) @@ -164,12 +207,16 @@ if connector_name in url_exceptions.keys(): connector_name = url_exceptions[connector_name] if 'credentialId' in body: - body['credentialId'] = fw_id - print(f'JSON credentialId: {fw_id}') + body['credentialId'] = service_credentialid + print(f'JSON credentialId: {service_credentialid}') if 'instances' in body: - body['instances'][0]['credentialId'] = instance_id - print(f'JSON credentialId: {instance_id}') + body['instances'][0]['credentialId'] = service_instance_credentialid + print(f'JSON credentialId: {service_instance_credentialid}') + +if 'managementServer' in body: + body['managementServer']['globalCidrListId'] = global_cidr_id + print(f'JSON globalCidrListId: {global_cidr_id}') if args.pretty: print(json.dumps(body, indent=4)) @@ -181,20 +228,3 @@ url = f'{ALKIRA_BASE_URI}/tenantnetworks/{tenantNetworkId}/{connector_name}' response = session.post(url, data=json.dumps(body), headers=headers) print(response.status_code) print(response.content) - -if response.status_code == 400: - print(f'=== Remove credential {fw_id}') - url = f'{ALKIRA_BASE_URI}/credentials/{credentials_url}/{fw_id}' - response = session.delete(url, headers=headers) - print(response.status_code) - print(response.content) - - if connector_name in service_instance_credentials.keys(): - credential_url = service_instance_credentials[connector_name] - - print(f'=== Remove instance credential {instance_id}') - url = f'{ALKIRA_BASE_URI}/credentials/{credentials_url}instance/{instance_id}' - response = session.delete(url, headers=headers) - print(response.status_code) - print(response.content) -