forcepoint / fp-ngfw-smc-python Goto Github PK

Forcepoint NGFW Management Center Python API

Home Page: https://support.forcepoint.com/s/article/How-to-Start-Using-SMC-API

License: Apache License 2.0

Python 99.62% Makefile 0.32% Shell 0.06%

fp-ngfw-smc-python's Introduction

smc-python

Python based library to provide the ability to interact with the Forcepoint NGFW Management Center API. Provides automation capabilities for any environment that interact with the SMC remotely.

Some of the functionality you get with the SMC Python API:

Create any engine types; single firewall, cluster firewalls, ips engines, layer 2 firewalls, master engine and virtual engines.
Engine operations such as enabling/disabling AV, GTI, default NAT, Contact Addresses, etc
Interface configurations
Routing configurations (OSPF, BGP, Static, Antispoofing)
Engine level commands such as rebooting, going offline, policy push, enable/disable SSH, etc.
Create and modify all network element objects such as Host, Network, Address Ranges, Domain Names, etc.
Policy control (create rules, delete rules) for layer 3 firewall policies
VPN Policy control and creation
Management / Log Server settings configuration
Admin User creation and modification
System level controls; update system packages, update engines, global blacklisting, etc
Tasks
Search operations for any object type by name, href and by filter
Collections interface to view all objects by type

Requirements

Python >= 2.7 or >= 3.5

Requests >= 2.31.0 websocket-client >= 1.5.0

Security Management Center version >= 6.0

Getting Started

Installing package

From git:

pip install git+https://github.com/Forcepoint/fp-NGFW-SMC-python.git

Or after cloning:

python setup.py install

Testing

Included are a variety of test example scripts that leverage the API to do various tasks in /examples

Basics

Before any commands are run, you must obtain a login session. Once commands are complete, call session.logout() to remove the active session. To obtain the api_key, log in to the Forcepoint NGFW Management Center and create an API client with the proper privileges.

from smc import session

session.login(url='http://1.1.1.1:8082', api_key='xxxxxxxxxxxxx')
....do stuff....
session.logout()

Or log in to a specific Admin Domain and use a specific version of the API:

session.login(url='http://1.1.1.1:8082', api_key='xxxxxxxxxxxxx',
              domain=mydomain, api_version=6.2)
....do stuff....
session.logout()

Once a valid session is obtained, it will be re-used for each operation for the duration of the sessions validity, or until the program is exited.

Extensions

Extensions are available to smc-python that provide additional functionality besides what is provided in the base library. Extensions are kept separate as they may require additional package requirements and simplify packaging.

Available extensions:

smc-python-monitoring: Monitoring for SMC connections, blacklists, users, VPNs, alerts, etc. In addition this package provides the ability to 'subscribe' to administrative event modifications.

Extensions are found in the base smc-python repository as namespace packages and each is housed in it's own sub-directory of this base package.

Pull Requests

Pull requests are accepted and welcome but they could not be merged as are. Indeed, we are using internal repository in order to validate and integrate these changes. But they could be released later on following our road map.

Documentation

View Documentation on Read The Docs

fp-ngfw-smc-python's People

Contributors

Stargazers

Watchers

Forkers

gregger83 darrenmeehan ad1rie1 carlos-esteves azgaviperr kobaan ggauvenet sklamt newlode

fp-ngfw-smc-python's Issues

Route-Based VPN Creation Error

Hi,

I am trying to create a Route-Based VPN Tunnel between two Firewalls but I get this error: "Impossible to store the element XXX".

Interfaces on the Engines are created correctly
Monitoring Group is created correctly

Is something that I am missing?

Below is the function I created:

def create_rbvpn(fw1, fw2, interface_id, comment):

    engine1 = Engine(str(fw1))
    engine2 = Engine(str(fw2))

    engine1.tunnel_interface.add_cluster_virtual_interface(interface_id = interface_id, comment=comment)
    engine2.tunnel_interface.add_cluster_virtual_interface(interface_id = interface_id, comment=comment)

    TunnelMonitoringGroup.create(name=comment, comment=comment)

    local_endpoint = TunnelEndpoint(gateway_ref=engine1.href, tunnel_interface_ref=engine1.tunnel_interface.get(interface_id).href)
    print(local_endpoint)
    remote_endpoint=TunnelEndpoint(gateway_ref=engine2.href, tunnel_interface_ref=engine2.tunnel_interface.get(interface_id).href)
    print(remote_endpoint)

    RouteVPN.create_ipsec_tunnel(name=comment,
                                 local_endpoint = local_endpoint,
                                 remote_endpoint = remote_endpoint,
                                 monitoring_group=TunnelMonitoringGroup(comment),
                                 vpn_profile=VPNProfile("Suite-B-GCM-256"),
                                 comment=comment)

Updating ipv4Rules

Hello,

I try to update an ipv4Rules object with .update() methode. It doesn't work when rule name contains "/"
I get following error message.
I use fp-ngfw-smc-python~=1.0.12 and SMC 6.8.8.

Rule @317776.13": "Invalid JSON format: For input string: \"68719491123\" (from: FWIPv4AccessRuleDTO[\"parent_insert_point\"]).

Forcepoint SMC test VM?

Hi,
I would like to develop some open source tools based on SMC Python for Forcepoint, but I can't find any Forcepoint SMC I can test against. Do you plan to ship such a test VM via vagrant maybe? If not, how can I test my code to make sure it's actually working on Forcepoint SMCs without spending thousands of dollars on a Forcepoint SMC?

DHCP Relay on interface

Hello,

I try to configure a DHCP relay on an interface.
I tried with following parameters but it doesn't work :

dhcp_relay={'element': ['some_href'], 'enabled': True, 'max_packet_size': 576, 'trusted_circuit': False}
engine.interface.get("1").data['relayed_by_dhcp'] = True

Is there a possibility to do this?
I use fp-NGFW-SMC-python 0.7.0b23.

Best regards,
Etienne

Can not Create an ipv4 access rule

using this code the rules are not created please help
"
for line in csv_reader:
try:
policy.fw_ipv4_access_rules.create(name=line[0], sources=line[1], destinations=line[2], services=line[3], action=line[4])
except:
pass
"

certificate verification warnings using the INI file for session creation

Hello,

I'm trying to create a session with an INI file but I'm running into SSL warnings of the following kind:

/usr/lib/python3/dist-packages/urllib3/connectionpool.py:1015: InsecureRequestWarning: Unverified HTTPS request is being made to host '$IP'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
warnings.warn(

What is the equivalent INI syntax of the following which doesn't throw warnings?

session.login(url='https://$FQN:8082', api_key='$APIKEY', api_version='6.10', verify=True)

How exactly do the above argument "verify=True" and the below "verify_ssl=True" differ? According to

fp-NGFW-SMC-python/smc/api/configloader.py

Line 137 in 6b90a32

Setting verify_ssl to True (default) validates the client cert for

the latter verifies client certificates only (and therefore needs a path), but how do I verify the server certificate?

$ cat .smcrc 
smc_address=$IP
smc_apikey=$APIKEY
api_version=6.10
smc_port=8082
smc_ssl=True
verify_ssl=True

(c.f. https://fp-ngfw-smc-python.readthedocs.io/en/latest/pages/session.html#creating-the-session )

Thanks.

Feature Request: Adding URL block lists via SMC Python

Hi,
I just realized that you do not support adding URL blocklist via SMC API yet. Is there any plan to support this in the future?

Library versioning

Hi,

Please use Git tags instead of commit title to version this library.

Best regards,

Changing Log Definitions

Hi everyone!

I'm using python 3.8; API version 6.8; Git Hub version 3.1.27
We were adding rules with the API:

-------------------------- creating the rule --------------------------

        options = LogOptions()
        options.log_accounting_info_mode = True
        options.log_level = 'stored'
        p.fw_ipv4_access_rules.create(name='', comment=comment, services=[service], sources=[specific_src_host], destinations=[specific_dest_host], action='allow', log_options=options)
        data.append([policy_name, section, src_ip, dest_ip, dest_port, app, app_protocol, comment, 'created the rule'])
    p.fw_ipv4_access_rules.create_rule_section(section_name)  # creating a specific section in the policy

#----------------------------------------------------------------------------

How can I change the settings of the rule-logs, such that a log wouldn't be created for connection closing:

(want the Connection Closing value to be set to "No Log").

fw_ipv4_access_rules.create() does not accept correct action

Hi @gabstopper,

I've encountered the following bug while playing around with the API.

smc python version: 0.6.2 (according to pip freeze)

Last debug output:

Response status: 200
Response headers:
        'ETag': '"NTQ4NDk5OWViNDVlZTdhYTY4ODliODFlOGU2MzdjMTY="'
        'Content-Type': 'application/json'
        'Transfer-Encoding': 'chunked'
        'Date': 'Wed, 01 Jul 2020 09:52:21 GMT'
Response content:
{"result":[{"href":"http://192.168.10.73:8082/6.7/elements/ip_list/23139","name":"freevpn.gg","type":"ip_list"}]}
http://192.168.10.73:8082 "POST /6.7/elements/sub_ipv4_fw_policy/46/fw_ipv4_access_rule HTTP/1.1" 400 None
Request method: POST
Request URL: http://192.168.10.73:8082/6.7/elements/sub_ipv4_fw_policy/46/fw_ipv4_access_rule
Request headers:
        'User-Agent': 'python-requests/2.24.0'
        'Accept-Encoding': 'gzip, deflate'
        'Accept': '*/*'
        'Connection': 'keep-alive'
        'Content-Type': 'application/json'
        'Cookie': 'JSESSIONID=2DD363BC335AF3842F8C785A0F1393DA'
        'Content-Length': '685'
Request body:
{"sources": {"any": true}, "destinations": {"dst": ["http://192.168.10.73:8082/6.7/elements/ip_list/23139"]}, "services": {"any": true}, "name": "freevpn.gg", "comment": "dies ist ein test", "action": {"action": "discard", "connection_tracking_options": {"mss_enforced": false, "mss_enforced_max": 0, "mss_enforced_min": 0, "timeout": -1}, "scan_detection": "undefined"}, "options": {"log_accounting_info_mode": false, "log_closing_mode": true, "log_level": "undefined", "log_payload_additionnal": false, "log_payload_excerpt": false, "log_payload_record": false, "log_severity": -1}, "authentication_options": {"methods": [], "require_auth": false, "users": []}, "is_disabled": false}
Response status: 400
Response headers:
        'Content-Type': 'application/json'
        'Transfer-Encoding': 'chunked'
        'Date': 'Wed, 01 Jul 2020 09:52:21 GMT'
        'Connection': 'close'
Response content:
{"details":["Invalid JSON format: Cannot deserialize instance of `java.util.ArrayList` out of VALUE_STRING token at [line: 1, column: 213] (from: FWRuleActionDTO[\"action\"])."],"status":0}
Traceback (most recent call last):
  File "avency-blockctl.py", line 154, in <module>
    Blockctl()   
  File "avency-blockctl.py", line 146, in __init__
    self.apply_blacklists(config, args)
  File "avency-blockctl.py", line 126, in apply_blacklists
    policy.fw_ipv4_access_rules.create(name=bl['name'], services='any', sources='any', destinations=[smc.elements.network.IPList(bl['name'])], action='discard', comment=bl['comment'])
  File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/policy/rule.py", line 570, in create
    return ElementCreator(
  File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/base/decorators.py", line 103, in run
    return function(cls, json, **kwargs)
  File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/base/model.py", line 115, in ElementCreator
    result = SMCRequest(
  File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/api/common.py", line 66, in create
    return self._make_request(method='POST')
  File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/api/common.py", line 101, in _make_request
    raise err
smc.api.exceptions.CreateRuleFailed: Invalid JSON format: Cannot deserialize instance of `java.util.ArrayList` out of VALUE_STRING token at [line: 1, column: 213] (from: FWRuleActionDTO["action"]).
Resetting dropped connection: 192.168.10.73
http://192.168.10.73:8082 "PUT /6.7/logout HTTP/1.1" 204 0
Logged out admin: Christian R. (Superuser) of domain: Shared Domain successfully
Call counters: Counter({'read': 6, 'create': 3, 'update': 0, 'delete': 0, 'cache': 0})

You can see my function call in the stacktrace:

policy.fw_ipv4_access_rules.create(name=bl['name'], services='any', sources='any', destinations=[smc.elements.network.IPList(bl['name'])], action='discard', comment=bl['comment'])

During error it has been initialized correctly as you can see in the REST request:

{"sources": {"any": true}, "destinations": {"dst": ["http://192.168.10.73:8082/6.7/elements/ip_list/23139"]}, "services": {"any": true}, "name": "freevpn.gg", "comment": "dies ist ein test", "action": {"action": "discard", "connection_tracking_options": {"mss_enforced": false, "mss_enforced_max": 0, "mss_enforced_min": 0, "timeout": -1}, "scan_detection": "undefined"}, "options": {"log_accounting_info_mode": false, "log_closing_mode": true, "log_level": "undefined", "log_payload_additionnal": false, "log_payload_excerpt": false, "log_payload_record": false, "log_severity": -1}, "authentication_options": {"methods": [], "require_auth": false, "users": []}, "is_disabled": false}

"action": {"action": "discard"... should be the correct Action name, right?
I have checked the rules.py file in the SMC-python project and it clearly states that discard is a valid operation.
Is this a bug with python 3.8.0?

ServerBackupTask fails

Hi,

Trying to call
ServerBackupTask.create(name='Backup' , servers=[ManagementServer(name='XXXXXXX')]) raise the error below : Invalid JSON format: At line 1 and column 420, server_target_path is not recognized as JSON attribute. <class 'smc.api.exceptions.CreateElementFailed'>
Several attemps on the parameters did not help (adding the path mainly).
Thank you

VPN Gateway expiration date

Hello

I am trying to get the expiration date, and for that I am using the smc.core.engine.VPN
and gateway_certificate .
But the list do not return it !

print(list(engineC0xxxx.vpn.gateway_certificate))

[GatewayCertificate(name=<O=Forcepoint, CN=LISC0xxxxSDW00 - Primary> RSA / SHA-256), GatewayCertificate(name=<O=Forcepoint, CN=LISC0xxxxSDW00 - Primary> RSA / SHA-256)]

Could you give me some tips ?

Best regards

ActiveAlertQuery("Shared Domain").fetch_as_element() never stops

Hi,
I have encountered the following issue with:

fp-ngfw-smc-python version: 0.7.0-b23
python: 3.8.3

When calling smc_monitoring.monitors.alerts.ActiveAlertQuery("Shared Domain").fetch_as_element() I will get a generator
over the current active alerts as expected, but the generator will never stop.

Corresponding debug output looks like this:

{'fetch': {},
 'format': {'field_format': 'id',
            'resolving': {'senders': True},
            'type': 'texts'},
 'query': {'definition': 'ACTIVE_ALERTS', 'target': 'Shared Domain'}}
Query returned 31 records.

Note the last line that says:"Query returned 31 records" this is equal to the number of alerts I retrieve, but the generator will stuck in an endless loop after running over all alerts. I tried to debug this, but the debugger refuses to jump into the corresponding thread.

Is this an issue with python 3.8.3? I saw, that you only support 3.6..

Calling .save() on rule object changes the action to "allow"

Hello,

After updating to a more recent version of this library, we encountered an unexpected change in our automatically generated "jump" rules. The action of these rules was changed to "allow" after calling .save() .

This behavior seems to have been introduced in commit 45faf15 . This commit changed the default of the .update() method to action="allow" . Since the .save() method calls .update() without any arguments, calling .save() on a rule with any other action than "allow" leads to an unexpected change.

As a workaround, I changed our Scripts to directly call the .update() method with the correct action, but this seems to be an unintended consequence of the change in the .update() behavior and should probably be addressed in the library.

Best regards,
Sebastian

AttributeError: 'NoneType' object has no attribute 'href'

Imported library :

from icecream import ic
from smc import session
from smc.core.engines import FirewallCluster
from smc.elements.network import Host, Network
from smc.elements.servers import LogServer
import json

Python version:

fp-NGFW-SMC-python version :

Hello,

I have an error when I try to create a cluster :

I think the "LogServer.objects.first()" object does not contain the ".href" :

Do you know if it is still maintained?

Cannot iterate ips_ipv4_access_rules of smc.base.model.SubIpv4IpsPolicyDynamic

Hi,

I am using smc-python 0.6.2 with SMC 6.8 with python 3.8.

I am trying to iterate through our rulesets and I am stuck with subpolicies, as I cannot retrieve the rules contained in there.

# iterate through rules
...
# does not work
if action == "jump":
    for r in rule.action.sub_policy.ips_ipv4_access_rules.all():

all other ways of fetching the subpolicy rules manually failed.

Am I doing something wrong or is this a bug in smc-python?

Thanks

Create fw_ipv4_access_rules with "AND" combination in source

Hello,

I'm trying to import rules from a cisco ftd into the forcepoint smc.
I want to have in my rule that the IP-Address and Zone field are "AND" combined (like in the picture).

What is the code to create a "AND" combination as the source?
I can't find anything in the descriptions.

I tried this one and others, but I always get errors:
source_as_list=[ [source[0] ,source[3]]]
source_as_list=["AND", {source[0] ,source[3]}]

The creation of a rule works fine with my code, but when I use this code I have all elements separated in the rule:

policy.fw_ipv4_access_rules.create(name=rule_name,sources=source_as_list, destinations=dest,services=services, action=actions,log_options=options, is_disabled=disabled,comment=comment, add_pos=add_after_position)

Thanks in advance

multiples sessions

Hi friends,
does the repo support multiple session instances?, either pointing to the same/different SMC Server URL with different APIKEY - APIversion.
thanks in advance.

rule_counters no valid message returned

Hello,
i am working on a programm that saves all the rules with name, source, destination, service and hits in a csv. When i try the function rule_counter = policy.rule_counters(engine, duration_type="one_week", duration=0) i get the error massage:

Traceback (most recent call last):
File "C:\Users...\Documents\SMC\halbjaehrliche-fw-regelabfrage\Regelset auslesen\Abfrage.py", line 651, in
main()
File "C:\Users...\Documents\SMC\halbjaehrliche-fw-regelabfrage\Regelset auslesen\Abfrage.py", line 463, in main
rule_counter = policy.rule_counters(engine, duration_type="one_week", duration=0)
File "C:\Users...\AppData\Local\Programs\Python\Python39\lib\site-packages\smc\policy\policy.py", line 154, in rule_counters
for rule in self.make_request(method="create", resource="rule_counter", json=json)
File "C:\Users...\AppData\Local\Programs\Python\Python39\lib\site-packages\smc\base\mixins.py", line 32, in make_request
result = getattr(request, method)()
File "C:\Users...\AppData\Local\Programs\Python\Python39\lib\site-packages\smc\api\common.py", line 76, in create
return self._make_request(method="POST")
File "C:\Users...\AppData\Local\Programs\Python\Python39\lib\site-packages\smc\api\common.py", line 110, in _make_request
raise err
smc.api.exceptions.ActionCommandFailed: No valid message returned from SMC server

can you help? We need the hit number to show if a rule is usefull.

Unable to install other dependancy because of pytz fixed version

Hello,

I'm not able to install other depandancies (ex: celery) on my project because pytz version is fixed to 2021.1 in /setup.py
since python 3.10, other libreries requires pytz>=2021.3

Is there any reason to fix pytz version to 2021.1 ?

Error with 'interface_id' from InternalEndpoint element

Hello,

I dont know if it's only on my environement, but i get a error when i tried to use function 'interface_id' from a endpoint when this endpoint is set with DHCP :

How to reproduce the error :

Engine interfaces :

engine = Engine("FOO")


for i in engine.interface:
    pprint(i.data.data)



{'aggregate_mode': 'none',
 'arp_entry': [],
 'cvi_mode': 'none',
 'dhcp_server_on_interface': {'default_gateway': 'X.X.X.X',
                              'default_lease_time': 36000,
                              'dhcp_address_range': 'X.X.X.X-X.X.X.X',
                              'dhcp_range_per_node': [],
                              'domain_name_search_list': 'x;x;x;x',
                              'primary_dns_server': 'X.X.X.X',
                              'secondary_dns_server': 'X.X.X.X'},
 'duplicate_address_detection': True,
 'include_prefix_info_option_flag': False,
 'interface_id': '4',
 'interfaces': [{'single_node_interface': {'address': 'X.X.X.X',
                                           'apn': 'internet',
                                           'auth_request': True,
                                           'auth_request_source': False,
                                           'automatic_default_route': False,
                                           'backup_heartbeat': False,
                                           'backup_mgt': False,
                                           'domain_specific_dns_queries_source': False,
                                           'dynamic': False,
                                           'igmp_mode': 'none',
                                           'key': 268444176,
                                           'network_value': 'X.X.X.X/25',
                                           'nicid': '4',
                                           'nodeid': 1,
                                           'outgoing': True,
                                           'phone_number': '*99#',
                                           'pppoa': False,
                                           'pppoe': False,
                                           'primary_heartbeat': False,
                                           'primary_mgt': False,
                                           'relayed_by_dhcp': False,
                                           'reverse_connection': False,
                                           'vrrp': False,
                                           'vrrp_id': -1,
                                           'vrrp_priority': -1}}],
 'key': 268444809,
 'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/physical_interface/268444809',
           'rel': 'self',
           'type': 'physical_interface'}],
 'lldp_mode': 'disabled',
 'log_moderation': [],
 'managed_address_flag': False,
 'mtu': -1,
 'name': 'Interface 4',
 'other_configuration_flag': False,
 'override_engine_settings': False,
 'override_log_moderation_settings': False,
 'qos_limit': -1,
 'qos_mode': 'no_qos',
 'route_replies_back_mode': False,
 'router_advertisement': False,
 'set_autonomous_address_flag': False,
 'shared_interface': False,
 'syn_mode': 'default',
 'sync_parameter': {'full_sync_interval': 5000,
                    'heartbeat_group_ip': '224.0.0.221',
                    'incr_sync_interval': 50,
                    'statesync_group_ip': '224.0.0.222',
                    'sync_mode': 'sync_all',
                    'sync_security': 'sign'},
 'virtual_engine_vlan_ok': False,
 'virtual_resource_settings': [],
 'vlanInterfaces': []}
{'adjust_antispoofing': True,
 'arp_entry': [],
 'comment': 'VPN Broker - EUA Domain',
 'dhcp_server_on_interface': {'default_lease_time': 7200,
                              'dhcp_range_per_node': []},
 'duplicate_address_detection': True,
 'gateway_ref': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240',
 'include_prefix_info_option_flag': False,
 'interface_id': 'VPN_0',
 'interfaces': [{'single_node_interface': {'address': 'X.X.X.X',
                                           'apn': 'internet',
                                           'auth_request': False,
                                           'auth_request_source': False,
                                           'automatic_default_route': False,
                                           'backup_heartbeat': False,
                                           'backup_mgt': False,
                                           'domain_specific_dns_queries_source': False,
                                           'dynamic': False,
                                           'igmp_mode': 'none',
                                           'key': 268444178,
                                           'network_value': 'X.X.X.X/21',
                                           'nicid': 'VPN_0',
                                           'nodeid': 1,
                                           'outgoing': False,
                                           'phone_number': '*99#',
                                           'pppoa': False,
                                           'pppoe': False,
                                           'primary_heartbeat': False,
                                           'primary_mgt': False,
                                           'relayed_by_dhcp': False,
                                           'reverse_connection': False,
                                           'vrrp': False,
                                           'vrrp_id': -1,
                                           'vrrp_priority': -1}}],
 'key': 268444811,
 'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/vpn_broker_interface/268444811',
           'rel': 'self',
           'type': 'vpn_broker_interface'}],
 'log_moderation': [],
 'mac_address_postfix': 'fa:02:19',
 'managed_address_flag': False,
 'mtu': -1,
 'name': 'VPN Broker Interface  0',
 'other_configuration_flag': False,
 'override_engine_settings': False,
 'override_log_moderation_settings': False,
 'qos_limit': -1,
 'qos_mode': 'no_qos',
 'retrieve_routes': 'true',
 'router_advertisement': False,
 'set_autonomous_address_flag': False,
 'shared_interface': False,
 'shared_secret': '*****',
 'syn_mode': 'default',
 'virtual_resource_settings': [],
 'vpn_broker_domain_ref': 'http:/X.X.X.X8082/6.10/elements/vpn_broker_domain/268435460'}
{'aggregate_mode': 'none',
 'arp_entry': [],
 'cvi_mode': 'none',
 'dhcp_server_on_interface': {'default_lease_time': 7200,
                              'dhcp_range_per_node': []},
 'duplicate_address_detection': True,
 'include_prefix_info_option_flag': False,
 'interface_id': '0',
 'interfaces': [{'single_node_interface': {'apn': 'internet',
                                           'auth_request': False,
                                           'auth_request_source': False,
                                           'automatic_default_route': True,
                                           'backup_heartbeat': False,
                                           'backup_mgt': False,
                                           'domain_specific_dns_queries_source': False,
                                           'dynamic': True,
                                           'dynamic_index': 1,
                                           'igmp_mode': 'none',
                                           'key': 268444177,
                                           'nicid': '0',
                                           'nodeid': 1,
                                           'outgoing': False,
                                           'phone_number': '*99#',
                                           'pppoa': False,
                                           'pppoe': False,
                                           'primary_heartbeat': False,
                                           'primary_mgt': True,
                                           'relayed_by_dhcp': False,
                                           'reverse_connection': True,
                                           'vrrp': False,
                                           'vrrp_id': -1,
                                           'vrrp_priority': -1}}],
 'key': 268444810,
 'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/physical_interface/268444810',
           'rel': 'self',
           'type': 'physical_interface'}],
 'lldp_mode': 'disabled',
 'log_moderation': [],
 'managed_address_flag': False,
 'mtu': -1,
 'name': 'Interface 0',
 'other_configuration_flag': False,
 'override_engine_settings': False,
 'override_log_moderation_settings': False,
 'qos_limit': -1,
 'qos_mode': 'no_qos',
 'route_replies_back_mode': False,
 'router_advertisement': False,
 'set_autonomous_address_flag': False,
 'shared_interface': False,
 'syn_mode': 'default',
 'sync_parameter': {'full_sync_interval': 5000,
                    'heartbeat_group_ip': '224.0.0.221',
                    'incr_sync_interval': 50,
                    'statesync_group_ip': '224.0.0.222',
                    'sync_mode': 'sync_all',
                    'sync_security': 'sign'},
 'virtual_engine_vlan_ok': False,
 'virtual_resource_settings': [],
 'vlanInterfaces': []}

engine.vpn_endpoint
InternalEndpointCollection(items: 3)

vpn_endpoints = engine.vpn_endpoint

for endpoint in vpn_endpoints:
    pprint(endpoint.interface_id)

Result :

'4'
'VPN_0'

Folowed by this Error :

---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)
<ipython-input-15-d277499e4914> in <module>
      1 for endpoint in vpn_endpoints:
----> 2     pprint(endpoint.interface_id)
      3 
      4 

~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/core/engine.py in interface_id(self)
   2164         :return: str interface id
   2165         """
-> 2166         return self.physical_interface.interface_id
   2167 
   2168     @property

~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/core/interfaces.py in interface_id(self)
    706         :rtype: str
    707         """
--> 708         return self.data.get("interface_id")
    709 
    710     @interface_id.setter

~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/base/decorators.py in __get__(self, obj, cls)
     95         if obj is None:
     96             return self
---> 97         value = obj.__dict__[self.func.__name__] = self.func(obj)
     98         return value
     99 

~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/base/model.py in data(self)
    384     @cached_property
    385     def data(self):
--> 386         return LoadElement(self.href)
    387 
    388     @property

~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/base/model.py in LoadElement(href, only_etag)
    113     if only_etag:
    114         return result.etag
--> 115     return ElementCache(result.json, etag=result.etag)
    116 
    117 

~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/base/model.py in __init__(self, data, **kw)
    170     def __init__(self, data=None, **kw):
    171         self._etag = kw.pop("etag", None)
--> 172         super(ElementCache, self).__init__(data=data if data else {})
    173 
    174     def etag(self, href):

~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/base/structs.py in __init__(self, data, **kwargs)
    156     def __init__(self, data=None, **kwargs):
    157         self.data = data if data else {}
--> 158         self.update(self.data, **kwargs)
    159 
    160     def __setitem__(self, key, value):

~/.pyenv/versions/3.6.15/lib/python3.6/_collections_abc.py in update(*args, **kwds)
    844                     self[key] = other[key]
    845             else:
--> 846                 for key, value in other:
    847                     self[key] = value
    848         for key, value in kwds.items():

ValueError: too many values to unpack (expected 2)

The Endpoint data :

{'address': '10.157.24.1',
 'connection_type_ref': 'http://X.X.X.X:8082/6.10/elements/connection_type/1',
 'deducted_name': '10.157.24.1',
 'dynamic': False,
 'enabled': False,
 'force_nat_t': False,
 'ike_phase1_id_type': 3,
 'ipsec_vpn': True,
 'key': 268443370,
 'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443370',
           'rel': 'self',
           'type': 'internal_endpoint'},
          {'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443370/history',
           'rel': 'history'},
          {'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443370/lock',
           'rel': 'lock'}],
 'locked': False,
 'nat_t': True,
 'physical_interface': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/physical_interface/268444809',
 'read_only': False,
 'ssl_vpn_portal': True,
 'ssl_vpn_tunnel': True,
 'system': False,
 'system_key': -1,
 'trashed': False,
 'udp_encapsulation': False}
{'address': '172.16.2.30',
 'connection_type_ref': 'http://X.X.X.X:8082/6.10/elements/connection_type/1',
 'deducted_name': '172.16.2.30',
 'dynamic': False,
 'enabled': False,
 'force_nat_t': False,
 'ike_phase1_id_type': 3,
 'ipsec_vpn': True,
 'key': 268443371,
 'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443371',
           'rel': 'self',
           'type': 'internal_endpoint'},
          {'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443371/history',
           'rel': 'history'},
          {'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443371/lock',
           'rel': 'lock'}],
 'locked': False,
 'nat_t': True,
 'physical_interface': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/vpn_broker_interface/268444811',
 'read_only': False,
 'ssl_vpn_portal': True,
 'ssl_vpn_tunnel': True,
 'system': False,
 'system_key': -1,
 'trashed': False,
 'udp_encapsulation': False}
{'connection_type_ref': 'http://X.X.X.X:8082/6.10/elements/connection_type/268435467',
 'deducted_name': 'First DHCP Interface ip',
 'dynamic': True,
 'enabled': True,
 'force_nat_t': False,
 'ike_phase1_id_type': 1,
 'ike_phase1_id_value': '[email protected]',
 'ipsec_vpn': True,
 'key': 268443372,
 'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443372',
           'rel': 'self',
           'type': 'internal_endpoint'},
          {'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443372/history',
           'rel': 'history'},
          {'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443372/lock',
           'rel': 'lock'}],
 'locked': False,
 'nat_t': True,
 'read_only': False,
 'ssl_vpn_portal': False,
 'ssl_vpn_tunnel': False,
 'system': False,
 'system_key': -1,
 'trashed': False,
 'udp_encapsulation': False}

As you can see, we dont have the key "physical_interface" in the Endpoint 3 (dhcp mode)

Information of my environement :

session.api_version = 6.10

pip list | grep SMC                                                                                                                                                             
fp-NGFW-SMC-python 1.0.21

Thank you in advance for your help

Kind regards,
Fgazelot

Cannot Create FirewallCluster

Hello

When I try to create a firewall cluster, I always get the same error :

I dont have this kind of error when creating a L3 Firewall ...

Maybe something missing in the module ?
I'm on SMC 6.8

Thanks for help
Regards

smc.api.exceptions.CreateElementFailed: No message returned from SMC server

Hi,
While trying a new Firewall subpolicy I get this error message here:

Using SMC API version: 6.7
Traceback (most recent call last):
  File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/chris/.vscode-oss/extensions/ms-python.python-2020.7.96456/pythonFiles/lib/python/debugpy/__main__.py", line 45, in <module>
    cli.main()
  File "/home/chris/.vscode-oss/extensions/ms-python.python-2020.7.96456/pythonFiles/lib/python/debugpy/../debugpy/server/cli.py", line 430, in main
    run()
  File "/home/chris/.vscode-oss/extensions/ms-python.python-2020.7.96456/pythonFiles/lib/python/debugpy/../debugpy/server/cli.py", line 267, in run_file
    runpy.run_path(options.target, run_name=compat.force_str("__main__"))
  File "/usr/lib/python3.8/runpy.py", line 265, in run_path
    return _run_module_code(code, init_globals, run_name,
  File "/usr/lib/python3.8/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/chris/avency/avency-blockctl/avency-blockctl.py", line 247, in <module>
    Blockctl()   
  File "/home/chris/avency/avency-blockctl/avency-blockctl.py", line 238, in __init__
    self.apply_blocklists(config, args)
  File "/home/chris/avency/avency-blockctl/avency-blockctl.py", line 180, in apply_blocklists
    policy = smc.policy.layer3.FirewallSubPolicy.create('avency-blockctl')
  File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/policy/layer3.py", line 189, in create
    return ElementCreator(cls, json={'name': name})
  File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/base/decorators.py", line 103, in run
    return function(cls, json, **kwargs)
  File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/base/model.py", line 115, in ElementCreator
    result = SMCRequest(
  File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/api/common.py", line 66, in create
    return self._make_request(method='POST')
  File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/api/common.py", line 101, in _make_request
    raise err
smc.api.exceptions.CreateElementFailed: No message returned from SMC server
Logout status was unexpected. Received response with status code: 500

API Version is: "6.7"
Python 3.8
I tested this with the latest tag from this repo and the develop branch from @gabstopper

No message returned from SMC server is not very verbose.. is this maybe a permission problem?

Viewing an Alias' references does not show the element referenced in the Alias, only the address.

When dereferencing an Alias object using a firewall engine name, the information returned is a list of addresses which are part of the firewall engine's Alias translation, but there is seemingly no tie in to obtain information regarding what specific elements are being referenced in the Alias. For instance, I am currently working on a deduplication/cleanup script which consolidates multiple elements into one element by moving their references to the master element, then deleting the old elements. Let us use this example scenario.

The following objects exist:
A host element with name "Host1" and address "1.2.3.4"
A host element with name "Host2" and address "1.2.3.4"
An Alias object with name "Alias1"
A firewall engine with name "Engine1"
Engine1's alias translation for Alias1 contains Host2

Let us say we are trying to move all references of Host2 to Host1 in order to delete Host2 and get rid of this duplicated element. Host2 is referenced in Engine1's address translation for Alias1. If we dereference the alias using the following code, all we can identify is that Engine1's translation for Alias1 contains IP address "1.2.3.4".

alias = Alias('Alias1')
alias.resolve('Engine1')
# this would return ['1.2.3.4']

Within the GUI, I can identify which specific element is being referenced in that alias object. I cannot see a way to identify if Host1 or Host2 are being referenced in the Alias via smc-python. My goal is to be able to remove Host2 from this alias and add Host1 to this alias. Is there a better method known to overcome this roadblock, or is this a limitation on the capabilities of the API?

Enable/Disable sites in Policy Based VPN Topology

Hello,

Is it possible to enable or disable VPN Site in Policy Based VPN Topology ?

I am doing something like that :

pb_vpn = PolicyVPN.get("VPN_name")
pb_vpn.open()
list(list(pb_vpn.satellite_gateway_node)[0].enabled_sites)
list(list(pb_vpn.satellite_gateway_node)[0].disabled_sites)

=> I can see enabled and disabled sites

But when trying to update :

list(pb_vpn.satellite_gateway_node)[0].update(enabled_sites=[])
>>> smc.api.exceptions.UpdateElementFailed: Invalid JSON format: At line 1 and column 713, enabled_sites is not recognized as JSON attribute.

Do you know if there is another way to do this please ?

Go SDK?

Hi,

is there any Go SDK for the SMC API? This repository is about the Python version and I hope that there might be a Go SDK, too.

Route-Based VPN tunnels

Hello,

I am able to configure tunnels in Policy-Based VPN with PolicyVPN > tunnels > endpoint_tunnels:

pb_vpn = PolicyVPN("my_pb_vpn")
for tunnel in pb_vpn.tunnels:
     for endpoint_tunnel in tunnel.endpoint_tunnels:
          print(endpoint_tunnel)

I can't find the same for the Route-Base VPN:

rb_vpn = RouteVPN("my_rb_vpn")
rb_vpn.tunnels
>>> AttributeError: <class 'smc.vpn.route.RouteVPN'> object has no attribute 'tunnels'

Is there a way to access it?

Best regards,
Etienne

Service creation JSON attribute error (protocol_agent_ref)

Hello,

I was trying to create a service but I get the "protocol_agent_ref is not recognized as JSON attribute"

TCPService.create('tcpservice', 5000, comment='my service')

but I get the following error:

File "c:/Users/aaa/Desktop/python/test.py", line 82, in <module>
service = UDPService.create('tcpservice', 5000, comment='my service')
File "C:\Users\aaa\AppData\Local\Programs\Python\Python36\lib\site-packages\smc\elements\service.py", line 138, in create
return ElementCreator(cls, json)
File "C:\Users\aaa\AppData\Local\Programs\Python\Python36\lib\site-packages\smc\base\decorators.py", line 113, in run
return function(cls, json, **kwargs)
File "C:\Users\aaa\AppData\Local\Programs\Python\Python36\lib\site-packages\smc\base\model.py", line 126, in
ElementCreator
result = SMCRequest(href=href, json=json, **kwargs).create()
File "C:\Users\aaa\AppData\Local\Programs\Python\Python36\lib\site-packages\smc\api\common.py", line 76, in create
return self._make_request(method="POST")
File "C:\Users\aaa\AppData\Local\Programs\Python\Python36\lib\site-packages\smc\api\common.py", line 110, in _make_request
raise err
smc.api.exceptions.CreateElementFailed: Invalid JSON format: At line 1 and column 136, protocol_agent_ref is not recognized as JSON attribute.

Integration with SMC Version 6.8 // Issue with updating group members

Hi everyone,
Is there already an estimation to when SMC 6.8 will be supported? Or is this even planned?

Currently im having some issues with a script as there seem to be some changes regarding the group api entrypoints. Atleast the methods which I used in 6.7 dont work anymore.

Best Regards
Alrexxar

add an IP configuration on a tunnel interface without IP

Hello, I have a small problem to add an IP address to an existing tunnel interface.

I am having trouble adding an IP address to an existing tunnel interface on a clusterengine. Specifically, I am trying to add a /32 IP address to a tunnel interface that does not have a 'CVI Only' subinterface. I've tried several methods described in the documentation, but I keep running into JSON format errors. I have been working on this problem for two days now and could use some help.

here is my code

for interface in cluster.tunnel_interface.all():
    if interface.name == "Tunnel Interface 1000":
    	print(interface.addresses)
    	payload = {
    				"interfaces': [{'cluster_virtual": "77.77.77.77",
                    'network_value': "77.77.77.77/32"}]      				
                    
                       }
    	
    	interface.update(**payload)

.api.exceptions.UpdateElementFailed: Invalid JSON format: Could not resolve type id 'cluster_virtual' as a subtype of com.stonesoft.api.v14.elements.dto.storable.engine.EngineInterfaceDTO: known type ids = [capture_interface, cluster_virtual_interface, inline_interface, inline_ips_interface, inline_l2fw_interface, node_interface, single_node_interface] (for POJO property 'interfaces') at [line: 1, column: 262] (from: ArrayList[0]).

but when I want to change the address of an existing tunnel, I can do it

for interface in cluster.tunnel_interface.all():
     if interface.name == "Tunnel Interface 1002":
    	for intf in interface.sub_interfaces():
    		if intf.address == "192.168.1.2":
    		      new_payload = {"comment": "tunnel1002",
    							"address":"192.168.1.1",
    							"network_value":"192.168.1.1/32"
        				
                    
                       }
    		intf.update(**new_payload)
    	interface.update()

	I thank you for your help and hope to get back to you for my problem

AttributeError when importing smc module

Hello,

since recently I get the following error when importing "smc"; I don't remember changing anything apart from general updating via "apt upgrade". I even tried with a fresh user "test":

$ cat test.py
#!/usr/bin/env python3
import smc

$ ./test.py 
Traceback (most recent call last):
  File "/home/test/ngfw/./test.py", line 2, in <module>
    import smc
  File "/home/test/.local/lib/python3.10/site-packages/smc/__init__.py", line 2, in <module>
    import smc.api.session
  File "/home/test/.local/lib/python3.10/site-packages/smc/api/session.py", line 9, in <module>
    from smc.api.entry_point import Resource
  File "/home/test/.local/lib/python3.10/site-packages/smc/api/entry_point.py", line 6, in <module>
    from smc.base.structs import SerializedIterable
  File "/home/test/.local/lib/python3.10/site-packages/smc/base/structs.py", line 126, in <module>
    class NestedDict(collections.MutableMapping): 
AttributeError: module 'collections' has no attribute 'MutableMapping'

$ cat /etc/os-release 
PRETTY_NAME="Ubuntu 22.10"
NAME="Ubuntu"
VERSION_ID="22.10"
VERSION="22.10 (Kinetic Kudu)"
VERSION_CODENAME=kinetic
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=kinetic
LOGO=ubuntu-logo

$ dpkg --list python3-pip python3
...
ii  python3        3.10.6-1             amd64        interactive high-level object-oriented language (default python3 version)
ii  python3-pip    22.2+dfsg-1ubuntu0.2 all          Python package installer

I tried reinstalling the package via pip3 install --force-reinstall smc-python without success.

Kind thanks for any idea how I got there and how to repair it.

How change tunnel Mode in PolicyVPN

Hello,

I dont know if i missed something or if it's a library limitation or a SMC API limitation.

But, i don't find a way to change tunnel mode on PolicyVPN from standby to active or reverse...

policy_vpn = get_policy_vpn(policy_vpn_name)
policy_vpn.open()

policy_vpn_tunnels = list(policy_vpn.tunnels)

for t in policy_vpn_tunnels:
    l_endpoint_tunnels = t.endpoint_tunnels.get_all_contains(primary_pop,case_sensitive=False)
    for endpoint_tunnel in l_endpoint_tunnels:
           pprint(endpoint_tunnel.data.data)

Return exemple :

{'enabled': False,
 'endpoint_1': 'http://X.X.X.X:8082/6.10/elements/single_fw/5561/internal_gateway/1331/internal_endpoint/1330',
 'endpoint_2': 'http://X.X.X.X:8082/6.10/elements/external_gateway/1350/external_endpoint/1642',
 'key': 0,
 'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/vpn/1/tunnels/MTMzMSMxMzUw/endpoints/MTMzMCMxNjQy',
           'rel': 'self',
           'type': 'gateway_endpoint_tunnel'}],
 'name': 'Gateway EndPoint Tunnel Endpoint 1330-akl1'}

We can't see any key "mode" for this tunnels or make a change on this option.

Information of my environement :

session.api_version = 6.10

pip list | grep SMC                                                                                                                                                             
fp-NGFW-SMC-python 1.0.21

Thank you in advance for your help.

Kind regards,
Fgazelot

Empty blacklist entries block script

Hello,

I'm working on a script to add/remove blacklist automatically.
To optimize my API calls, I get the list of current blacklist.
But if the blacklist entries is empty, my script is stuck.

How to reproduce

The blacklist entries need to be empty.

query = BlacklistQuery("TEST-CLUSTER")
for bl in query.fetch_as_element():
    print(bl)

You will be stuck at the statement query.fetch_as_element()

Where is the problem

If you call query.fetch_as_element(), you will call the method inside smc_monitoring/monitors/blacklist.py

Extract:

for list_of_results in clone.fetch_raw(**kw):
    for entry in list_of_results:
        data = entry.get('bldata')
        data.update(**entry.get('blid'))
        yield BlacklistEntry(**data)

The problem in inside the method fetch_raw from smc_monitoring/models/query.py

Extract:

with SMCSocketProtocol(self, **self.sockopt) as protocol:
            for result in protocol.receive():
                if 'records' in result and result['records'].get('added'):
                    yield result['records']['added']
                    iteration += 1

if records is not in result, you will never reach the 'yield' statement and block here.

You will need to change the function with something like :

with SMCSocketProtocol(self, **self.sockopt) as protocol:
    for result in protocol.receive():
        if 'records' in result and result['records'].get('added'):
            yield result['records']['added']
            iteration += 1
        else:
            return

Or maybe there is something I don't understant an how works the API.
Thanks in advance.

Regards, Chris.

smc_monitoring: SessionNotFound

Hello,

I get some SessionNotFound while using smc_monitoring although I can use this exact session perfectly fine when I use things from the smc module.

As follows some rudimentary script:

$ cat log.py
#!/usr/bin/env python3.11
from smc_monitoring.wsocket import session      
from smc_monitoring.monitors.logs import LogQuery
try:
    session.login(alt_filepath='.smcrc')
    query = LogQuery()
    print(list(query.fetch_batch()))
finally: session.logout()

$ ./log.py
Traceback (most recent call last):
  File "/home/user/log.py", line 7, in <module>
    print(list(query.fetch_batch()))
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/monitors/logs.py", line 198, in fetch_batch
    fmt = formatter(clone)
          ^^^^^^^^^^^^^^^^
  File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/models/formatters.py", line 147, in __init__
    super(TableFormat, self).__init__(query)
  File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/models/formatters.py", line 86, in __init__
    fields = query.resolve_field_ids(field_ids, **query.sockopt)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/models/query.py", line 240, in resolve_field_ids
    for fields in query.execute():
  File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/models/query.py", line 274, in execute
    with SMCSocketProtocol(self, **self.sockopt) as protocol:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/wsocket.py", line 77, in __init__
    raise SessionNotFound(
smc_monitoring.wsocket.SessionNotFound: No SMC session found. You must first obtain an SMC session through session.login before making a web socket connection.

I installed the extension via:

$ python3.11 -m pip install fp-NGFW-SMC-python-monitoring
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: fp-NGFW-SMC-python-monitoring in /home/user/.local/lib/python3.11/site-packages (1.4.0)
Requirement already satisfied: fp-NGFW-SMC-python>=1.0.0 in /home/user/.local/lib/python3.11/site-packages (from fp-NGFW-SMC-python-monitoring) (1.0.19)
Requirement already satisfied: websocket-client>=0.48.0 in /home/user/.local/lib/python3.11/site-packages (from fp-NGFW-SMC-python-monitoring) (1.5.1)
Requirement already satisfied: pytz>=2021.1 in /home/user/.local/lib/python3.11/site-packages (from fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (2023.3)
Requirement already satisfied: requests>=2.12.0 in /home/user/.local/lib/python3.11/site-packages (from fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (2.30.0)
Requirement already satisfied: charset-normalizer<4,>=2 in /home/user/.local/lib/python3.11/site-packages (from requests>=2.12.0->fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (3.1.0)
Requirement already satisfied: certifi>=2017.4.17 in /home/user/.local/lib/python3.11/site-packages (from requests>=2.12.0->fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (2023.5.7)
Requirement already satisfied: urllib3<3,>=1.21.1 in /home/user/.local/lib/python3.11/site-packages (from requests>=2.12.0->fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (2.0.2)
Requirement already satisfied: idna<4,>=2.5 in /home/user/.local/lib/python3.11/site-packages (from requests>=2.12.0->fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (3.4)

I'm not exactly sure why it isn't visible as installed nonetheless I'm able to use (i.e. import) it:

$ pip3 list | egrep -i 'smc'
fp-NGFW-SMC-python     1.0.19

Thanks in advance,
Sam

Wrong version number in "smc/version"

Hello,

It's only a details but in the changes to 1.0.20, you forgot to upgrade this file :

fp-NGFW-SMC-python/smc/__version__.py

Line 1 in c48b624

__version__ = '1.0.19'

How to reproduce the issue :

Install the 1.0.20 version :

fgt in lin-fgt in ~/tmp via (env) 
❯ pip install git+https://github.com/Forcepoint/[email protected]

Collecting git+https://github.com/Forcepoint/fp-NGFW-SMC-python.git
  Cloning https://github.com/Forcepoint/fp-NGFW-SMC-python.git to /tmp/pip-req-build-b77pvzkj
Collecting requests>=2.12.0 (from fp-NGFW-SMC-python==1.0.19)
  Using cached https://files.pythonhosted.org/packages/2d/61/08076519c80041bc0ffa1a8af0cbd3bf3e2b62af10435d269a9d0f40564d/requests-2.27.1-py2.py3-none-any.whl
Collecting pytz>=2021.1 (from fp-NGFW-SMC-python==1.0.19)
  Using cached https://files.pythonhosted.org/packages/2e/09/fbd3c46dce130958ee8e0090f910f1fe39e502cc5ba0aadca1e8a2b932e5/pytz-2022.7.1-py2.py3-none-any.whl
Collecting charset-normalizer~=2.0.0; python_version >= "3" (from requests>=2.12.0->fp-NGFW-SMC-python==1.0.19)
  Using cached https://files.pythonhosted.org/packages/06/b3/24afc8868eba069a7f03650ac750a778862dc34941a4bebeb58706715726/charset_normalizer-2.0.12-py3-none-any.whl
Collecting idna<4,>=2.5; python_version >= "3" (from requests>=2.12.0->fp-NGFW-SMC-python==1.0.19)
  Using cached https://files.pythonhosted.org/packages/fc/34/3030de6f1370931b9dbb4dad48f6ab1015ab1d32447850b9fc94e60097be/idna-3.4-py3-none-any.whl
Collecting urllib3<1.27,>=1.21.1 (from requests>=2.12.0->fp-NGFW-SMC-python==1.0.19)
  Using cached https://files.pythonhosted.org/packages/fe/ca/466766e20b767ddb9b951202542310cba37ea5f2d792dae7589f1741af58/urllib3-1.26.14-py2.py3-none-any.whl
Collecting certifi>=2017.4.17 (from requests>=2.12.0->fp-NGFW-SMC-python==1.0.19)
  Using cached https://files.pythonhosted.org/packages/71/4c/3db2b8021bd6f2f0ceb0e088d6b2d49147671f25832fb17970e9b583d742/certifi-2022.12.7-py3-none-any.whl
Installing collected packages: charset-normalizer, idna, urllib3, certifi, requests, pytz, fp-NGFW-SMC-python
  Running setup.py install for fp-NGFW-SMC-python ... done
Successfully installed certifi-2022.12.7 charset-normalizer-2.0.12 fp-NGFW-SMC-python-1.0.19 idna-3.4 pytz-2022.7.1 requests-2.27.1 urllib3-1.26.14

Check version :

fgt in lin-fgt in ~/tmp via  (env) took 3s 
❯ pip show fp-NGFW-SMC-python

Name: fp-NGFW-SMC-python
Version: 1.0.19
Summary: Python based API to Forcepoint NGFW Management Center
Home-page: http://github.com/Forcepoint/fp-NGFW-SMC-python
Author: Forcepoint
Author-email: [email protected]
License: Apache 2.0
Location: /home/fgt/tmp/env/lib/python3.6/site-packages
Requires: requests, pytz
Required-by:

The requirements for the last fp-NGFW-SMC-ansible version is "fp-NGFW-SMC-python >=1.0.20" :
https://github.com/Forcepoint/fp-NGFW-SMC-ansible

Kind regards,
Fgazelot

Setting standby mode on a TunnelInterface

Hi,
I am trying to set the TunnelInterface in 'standy' by calling int.update( ... , balancing_mode='standby') but i get the error below.
Invalid JSON format: At line 1 and column 839, balancing_mode is not recognized as JSON attribute. <class 'smc.api.exceptions.UpdateElementFailed'>
I mentionned that enabled=True is working.
Thank you

Update an IPv4 Access Rule

Hello,

I try to update an IPv4 Access Rule. It doesn't work with rule.update() method or rule.save() method.
Is it possible to update a rule?
I use fp-NGFW-SMC-python==0.7.0b26 and SMC 6.5.17.

With update method and host object or href of host object :

policy = FirewallPolicy("policy_name")
rule = list(policy.fw_ipv4_access_rules)[-1]
one_host = Host("host_name")
rule.update(sources=[one_host])
rule.update(sources=[one_host.href])

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Users\user_name\AppData\Local\Programs\Python\Python37\lib\site-packages\smc\policy\rule.py", line 290, in update
    result = super(Rule, self).update(PolicyCommandFailed, **kwargs)
  File "C:\Users\user_name\AppData\Local\Programs\Python\Python37\lib\site-packages\smc\base\model.py", line 494, in update
    result = request.update()
  File "C:\Users\user_name\AppData\Local\Programs\Python\Python37\lib\site-packages\smc\api\common.py", line 72, in update
    return self._make_request(method='PUT')
  File "C:\Users\user_name\AppData\Local\Programs\Python\Python37\lib\site-packages\smc\api\common.py", line 101, in _make_request
    raise err
smc.api.exceptions.PolicyCommandFailed: Invalid JSON format: Cannot deserialize instance of `com.stonesoft.api.v11.elements.dto.storable.policy.SrcMatchPartDTO` out of START_ARRAY token at [line: 1, column: 1558] (from: FWIPv4AccessRuleDTO["sources"]).

With save method:

rule.sources.src = [one_host.href]
rule.save()
rule.sources.src
>>> list of href before change

Best regards,
Etienne MILON

Routing and find all networks related to some host

Hi,
I have two open issues from the previous session and I thought it would be better to gather them neatly here:

given a specific host get all the subnets in the smc that contain it, like the 'referenced_by' attribute but currently this attribute doesn't contain networks .
for example, I have this naive code:
def find_all_networks_contain_host(host_IP):
all_relevant_subnets = []
for subnet in list(Network.objects.all()):
if 'ipv4_network' in subnet.data:
host_address = ipaddress.ip_address(host_IP)
curr_network = ipaddress.ip_network(str(subnet.data['ipv4_network']))
if host_address in curr_network:
all_relevant_subnets.append(subnet)
print(all_relevant_subnets)

if there was a way to directly get all the networks that contains a particular host without going through all the networks that exist in the smc it would be very useful for a lot of applications.

given a specific host find behind which cluster it is routed in the firewall, something like "query route" in the GUI.
currently I have only some naive code that takes a lot of time to run.

I'm working on some project of real-time rules search in the firewall and currently these two issues prevent me from running it in a reasonable amount of time. I would love to have your help:)

Thanks

Issue with MultilinkMember.create in SMC 6.8

Hello,

I'm working on the migration to my script worked on SMC 6.5 to SMC 6.8 and make the switch from "smc-python" to "fp-NGFW-SMC-python" at the same time.

When i try to create my MultilinkMember for my Multilink, i have this issue :

Traceback (most recent call last):
  File "test-oml.py", line 46, in <module>
    create_multilinks()
  File "test-oml.py", line 26, in create_multilinks
    l_ml_member.extend(MultilinkMember.create(netlink=snl1, netlink_role='active', ip_range='6.1.1.1-6.1.1.254'))
  File "/home/fgt/Documents/newlode/dev/ats-test-68/atsRunSdwan/env/lib/python3.8/site-packages/smc/elements/netlink.py", line 523, in create
    member_def.update(network_ref=netlink.network[0].href)
IndexError: list index out of range

I have created a little script to create the issue, on this script i have this function :

def create_multilinks():

    snl1 = list(Search.objects.all().filter('SNL_Premier-ISP'))[0]
    snl2 = list(Search.objects.all().filter('SNL_Second-ISP'))[0]
    l_ml_member = list()
    print('SNL1\n', snl1.data.data)
    print('SNL2\n', snl2.data.data)

    print('SNL1.network\n', snl1.network)
    print('SNL2.network\n', snl2.network)

    l_ml_member.extend(MultilinkMember.create(netlink=snl1, netlink_role='active', ip_range='6.1.1.1-6.1.1.254'))
    l_ml_member.extend(MultilinkMember.create(netlink=snl2, netlink_role='standby', ip_range='1.1.2.1-1.1.2.254'))

    res = Multilink.update_or_create(with_status=True,
                                     name="OML_TEST",
                                     multilink_members=l_ml_member)

    return res

The output of my print :

SNL1
 {'active_mode_period': 5, 'active_mode_timeout': 1, 'domain_server_address': [], 'gateway_ref': 'http://X.X.X.X:8082/6.5/elements/router/7249', 'key': 7250, 'link': [{'href': 'http://X.X.X.X8082/6.5/elements/netlink/7250', 'rel': 'self', 'type': 'netlink'}, {'href': 'http://X.X.X.X.68:8082/6.5/elements/netlink/7250/export', 'rel': 'export'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7250/history', 'rel': 'history'}, {'href': 'http://X.X.X.X8082/6.5/elements/netlink/7250/search_category_tags_from_element', 'rel': 'search_category_tags_from_element'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7250/duplicate', 'rel': 'duplicate'}], 'name': 'SNL_Premier-ISP', 'nsp_name': '', 'probe_address': [], 'read_only': False, 'ref': ['http:/X.X.X.X:8082/6.5/elements/network/7243'], 'standby_mode_period': 3600, 'standby_mode_timeout': 30, 'system': False, 'system_key': -1}

SNL2
 {'active_mode_period': 5, 'active_mode_timeout': 1, 'domain_server_address': [], 'gateway_ref': 'http://X.X.X.X :8082/6.5/elements/router/7252', 'key': 7253, 'link': [{'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7253', 'rel': 'self', 'type': 'netlink'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7253/export', 'rel': 'export'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7253/history', 'rel': 'history'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7253/search_category_tags_from_element', 'rel': 'search_category_tags_from_element'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7253/duplicate', 'rel': 'duplicate'}], 'name': 'SNL_Second-ISP', 'probe_address': [], 'read_only': False, 'ref': ['http://X.X.X.X:8082/6.5/elements/network/7246'], 'standby_mode_period': 3600, 'standby_mode_timeout': 30, 'system': False, 'system_key': -1}

SNL1.network
 []
SNL2.network
 []

SNL1.ref
 ['http://X.X.X.X:8082/6.5/elements/network/7243']
SNL2.ref
 ['http://X.X.X.X:8082/6.5/elements/network/7246']

With the error, we can see in line 523 in "smc/elements/netlink.py" we try to get the ref of the network in the SNL with "network_ref=netlink.network[0].href", but you can see with my print the "snl.network" is empty and the ref wanted is on "snl.ref".

I have created the SNL with SMC, with python, with ansible and the result is all time the same -> snl.netwotk is empty
I tried to make snl.ref = snl.network and snl.update() but same result...

All work's correctly with this changeat line 523 :

        if netlink.typeof == 'netlink':  # static netlink vs dynamic netlink
            #member_def.update(network_ref=netlink.network[0].href)
            member_def.update(network_ref=str(netlink.ref))

Information of my environement :

In [8]: session.manager.sessions[0].api_version
Out[8]: '6.5'

pip list | grep SMC                                                                                                                                                               
fp-NGFW-SMC-python 1.0.0

I don't know if the issue is only in my environment.

Thank you in advance for your help.

Kind regards,
Fgazelot

How add Exceptions on Phase-1ID in Engine Endpoints

Hello,

I dont know if I missed something, I have to create a exceptions on a Phase-1 ID (change default IP addres ID to a email ID to a specific PolicyVPN.

However, i dont find a way to make this :

e = Engine("ClusterFW-1")


endpoints = list(e.vpn_endpoint.all())


ep = endpoints[0]



pprint(vars(ep.data))
{'_etag': '"MTMzOTgwMjExNjk3NjE1MDE4OTQ0"',
 'data': {'address': '10.0.10.1',
          'connection_type_ref': 'http://X.X.X.X:8082/6.10/elements/connection_type/4',
          'deducted_name': '10.0.10.1',
          'dynamic': False,
          'enabled': True,
          'force_nat_t': False,
          'ike_phase1_id_type': 3,
          'ipsec_vpn': True,
          'key': 1339,
          'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/fw_cluster/5588/internal_gateway/1340/internal_endpoint/1339',
                    'rel': 'self',
                    'type': 'internal_endpoint'},
                   {'href': 'http://X.X.X.X:8082/6.10/elements/fw_cluster/5588/internal_gateway/1340/internal_endpoint/1339/history',
                    'rel': 'history'},
                   {'href': 'http://X.X.X.X:8082/6.10/elements/fw_cluster/5588/internal_gateway/1340/internal_endpoint/1339/lock',
                    'rel': 'lock'}],
          'locked': False,
          'nat_t': True,
          'physical_interface': 'http://X.X.X.X:8082/6.10/elements/fw_cluster/5588/physical_interface/1337',
          'read_only': False,
          'ssl_vpn_portal': True,
          'ssl_vpn_tunnel': True,
          'system': False,
          'system_key': -1,
          'trashed': False,
          'udp_encapsulation': False}}

In this exemple, the exceptions is created on this printed endpoint, but we dont saw data dedicated to that ...

Information of my environement :

session.api_version = 6.10

pip list | grep SMC                                                                                                                                                             
fp-NGFW-SMC-python 1.0.21

Thank you in advance for your help.

Kind regards,
Fgazelot

FirewallCluster - VPN - Automatic Certificate Management

Hello,

When I use the function FirewallCluster.create in smc.core.engines, the option "Automated RSA Certificate Management" in the menu "VPN > Certificate" is not enabled.
I don't find this option in the function or in the engine properties.
Is there a way to enable it when creating the engine or after?

Best regards,
Etienne

How to collect logs of specific access rule on SMC?

I want to collect logs of specific access rule on SMC then analyze these logs and propose the recommended access rules to be created as per these logs.

How to do that?

Also how to use python machine learning for achieving this goal?

Search rule failed

Hi,

I tried to search a rule rule using the smc api but it looks like there is some problem with the class smc\base\model.
I will appreciate if someone could help me with this.

this is the main code:
session.login(url=SMC_URL, api_key=API_KEY, verify=False, timeout=120, api_version=API_VERSION)
p = FirewallPolicy("Vamsi")
print(p.search_rule('@2187085.0'))
session.logout()

this is the error msg:
Traceback (most recent call last):
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\main.py", line 53, in
print(p.search_rule('@2187085.0'))
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\policy\policy.py", line 110, in search_rule
result = self.make_request(resource="search_rule", params={"filter": search})
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\mixins.py", line 26, in make_request
kwargs.update(href=self.data.get_link(kwargs.pop("resource")))
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\model.py", line 413, in getattr
if "typeof" not in key and key in self.data:
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\model.py", line 413, in getattr
if "typeof" not in key and key in self.data:
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\model.py", line 413, in getattr
if "typeof" not in key and key in self.data:
[Previous line repeated 989 more times]
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\decorators.py", line 86, in get
value = obj.dict[self.func.name] = self.func(obj)
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\model.py", line 375, in data
return LoadElement(self.href)
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\model.py", line 99, in LoadElement
request = SMCRequest(href=href)
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\api\common.py", line 69, in init
for k, v in kwargs.items():
RecursionError: maximum recursion depth exceeded while calling a Python object
INFO:smc.api.session:Logged out admin: 102895415245 of domain: Shared Domain successfully

thanks

FR: Logfields "Scan Result" "File MD5" "File Name"

... to have would be very helpful these days ...

Create users with password in InternalDomain

I cannot find anywhere the possibility to create a new user in the InternalDomain with the parameter "password".

The only parameters accepted by the create function in the create() function of the smc.administration.user_auth.users InternalUserDomain are: name, user_group, activation_date, expiration_date and comment.

Is there a way to add the password? Maybe adding this possibility if only using the secure channel communication (websocket)?

role 'Manage Administrator' mandatory for read only API clients

Hello,

I try to restrict my API client, but a plain login already needs 'Manage Administrator' from 'Administrative Rights' in 'All'. As soon I try to login I get:

ERROR:root:Failed to get username, please make sure you can have 'Manage Administrator' in your role
ERROR:smc.api.session:Logout status was unexpected. Received response with status code: 401
...

The description for 'Manage Administrator' is: "Allows the administrator to view and manage Administrator, Web Portal User, Administrator Role, API Clients and Access Control List elements".

BR, sam

session.login: Failed to get username

With SMC version 7.0.3 [11326], and [email protected], when I run session.login with all the right parameters, I get this error :

Error:root:Failed to get username, please make sure you can have 'Manage Administrator' in your role.

The user with the API key used in the example has "Viewer" role on "ALL API Client" and "ALL Elements" in "ALL DOMAINS". If I make this user Superuser, I do not see this exception, though.

Some details which might be useful:

$ pip list
Package            Version 
------------------ --------
certifi            2023.5.7
charset-normalizer 3.1.0   
fp-NGFW-SMC-python 1.0.22  
idna               3.4     
pip                20.0.2  
pkg-resources      0.0.0   
pyserial           3.5     
pytz               2023.3  
requests           2.31.0  
setuptools         44.0.0  
urllib3            2.0.2   
wheel              0.34.2
$ python --version
Python 3.8.10

The script used (api_key and api_url are hidden):

import logging
from smc import session

logging.getLogger()
logging.basicConfig(level=logging.DEBUG)

api_key="XXXXXXX"
api_url="https://XXXX:8082"
session.login(api_url, api_key=api_key, api_version='7.0') # Note that changing the version to 6.11 does not make any difference.

And the full output of the script, obviously still with API key and URL hidden.

$ python test_login.py 
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): XXXX:8082
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /api HTTP/1.1" 200 None
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): XXXX:8082
DEBUG:urllib3.connectionpool:https://XXXX:8082 "POST /7.0/login HTTP/1.1" 200 0
INFO:smc.api.session:Using SMC API version: 7.0
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /7.0/api HTTP/1.1" 200 None
DEBUG:smc.api.session:Loaded entry points with obtained session.
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /7.0/system/current_user HTTP/1.1" 200 None
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /7.0/elements/api_client/6 HTTP/1.1" 400 None
DEBUG:smc.api.web:Request method: GET
DEBUG:smc.api.web:Request URL: https://XXXX:8082/7.0/elements/api_client/6
DEBUG:smc.api.web:Request headers:
DEBUG:smc.api.web:	'User-Agent': 'python-requests/2.31.0'
DEBUG:smc.api.web:	'Accept-Encoding': 'gzip, deflate'
DEBUG:smc.api.web:	'Accept': '*/*'
DEBUG:smc.api.web:	'Connection': 'keep-alive'
DEBUG:smc.api.web:	'Content-Type': 'application/json'
DEBUG:smc.api.web:	'Cookie': 'JSESSIONID=8E8A1AF6EC0D7C40DCCBE2D6C3916973'
DEBUG:smc.api.web:	'Content-Length': '2'
DEBUG:smc.api.web:Request body:
DEBUG:smc.api.web:b'{}'
DEBUG:smc.api.web:Response status: 400
DEBUG:smc.api.web:Response headers:
DEBUG:smc.api.web:	'Strict-Transport-Security': 'max-age=31536000;includeSubDomains'
DEBUG:smc.api.web:	'X-Frame-Options': 'DENY'
DEBUG:smc.api.web:	'X-Content-Type-Options': 'nosniff'
DEBUG:smc.api.web:	'X-XSS-Protection': '1; mode=block'
DEBUG:smc.api.web:	'Content-Type': 'application/json'
DEBUG:smc.api.web:	'Transfer-Encoding': 'chunked'
DEBUG:smc.api.web:	'Date': 'Mon, 05 Jun 2023 11:46:00 GMT'
DEBUG:smc.api.web:	'Connection': 'close'
DEBUG:smc.api.web:Response content:
DEBUG:smc.api.web:{"details":["You do not have the required permissions to perform this action.\nDetails:\nYou do not have the required permissions to perform this action. You must have API Client as a granted element."],"message":"Impossible to retrieve the element 6 of type api_client.","status":0}
ERROR:root:Failed to get username, please make sure you can have 'Manage Administrator' in your role
DEBUG:smc.api.session:Login succeeded for admin: 8792896761028 in domain: Shared Domain, session: JSESSIONID=8E8A1AF6EC0D7C40DCCBE2D6C3916973
DEBUG:urllib3.connectionpool:Resetting dropped connection: XXXX
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /7.0/system/current_user HTTP/1.1" 200 None
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /7.0/elements/api_client/6 HTTP/1.1" 400 None
DEBUG:smc.api.web:Request method: GET
DEBUG:smc.api.web:Request URL: https://XXXX:8082/7.0/elements/api_client/6
DEBUG:smc.api.web:Request headers:
DEBUG:smc.api.web:	'User-Agent': 'python-requests/2.31.0'
DEBUG:smc.api.web:	'Accept-Encoding': 'gzip, deflate'
DEBUG:smc.api.web:	'Accept': '*/*'
DEBUG:smc.api.web:	'Connection': 'keep-alive'
DEBUG:smc.api.web:	'Content-Type': 'application/json'
DEBUG:smc.api.web:	'Cookie': 'JSESSIONID=8E8A1AF6EC0D7C40DCCBE2D6C3916973'
DEBUG:smc.api.web:	'Content-Length': '2'
DEBUG:smc.api.web:Request body:
DEBUG:smc.api.web:b'{}'
DEBUG:smc.api.web:Response status: 400
DEBUG:smc.api.web:Response headers:
DEBUG:smc.api.web:	'Strict-Transport-Security': 'max-age=31536000;includeSubDomains'
DEBUG:smc.api.web:	'X-Frame-Options': 'DENY'
DEBUG:smc.api.web:	'X-Content-Type-Options': 'nosniff'
DEBUG:smc.api.web:	'X-XSS-Protection': '1; mode=block'
DEBUG:smc.api.web:	'Content-Type': 'application/json'
DEBUG:smc.api.web:	'Transfer-Encoding': 'chunked'
DEBUG:smc.api.web:	'Date': 'Mon, 05 Jun 2023 11:46:00 GMT'
DEBUG:smc.api.web:	'Connection': 'close'
DEBUG:smc.api.web:Response content:
DEBUG:smc.api.web:{"details":["You do not have the required permissions to perform this action.\nDetails:\nYou do not have the required permissions to perform this action. You must have API Client as a granted element."],"message":"Impossible to retrieve the element 6 of type api_client.","status":0}
ERROR:root:Failed to get username, please make sure you can have 'Manage Administrator' in your role

And a screenshot of the current permissions of the read-user. I guess "All API clients" is redundant with "All Elements", but I added it in case of.

I don't know what is this "Manage Administrator" permission, and if there is a way to tell the API client not to require it.

How to communicate HTTPS to SMC API using SMC-Python?

If we configured API on SMC to use HTTPS protocol, How to communicate HTTPS to SMC API using fp-NGFW-SMC-Python and do everything with SMC via HTTPS?

Search a firewall policy similarly to "Search Rules" function in SMC GUI

Hello,

I am having trouble finding a way to conclusively search a firewall policy's ruleset for all rules matching a given network element IP. Within the SMC GUI, when you preview a Firewall Policy, you can search that policy via clicking the gear cog icon in the top right corner and selecting "Search Rules". This allows you to input a IP address or Subnet within one of the fields, and the SMC will show you all matching rules in which that source IP or subnet is contained in that particular slot. This search is recursive in that it will also show you rules in which a group is used, if that group contains your target subnet or IP.

For example, let's say I have a network element "net_A" with address 1.2.3.0/24 which is referenced in 5 rules within a policy. Let us say net_A is also included in a group "group_A" and group_A is used within 15 rules in a policy. When searching with the firewall API, I am able to pull all rules from a policy and iterate through them, comparing the values in the source and destination fields via element name, or resolving each element and comparing by value. However, this will not include the references where group_A is used, so I would only find 5 rules instead of 20 matching rules.

I have tried replicating the recursion manually, but for large groups this takes a long time, especially taking into account nested groups of multiple levels. When the SMC GUI performs this search, this slowness is not observed. Using the above scenario, if I were to search using the SMC GUI search function, it would show me 20 rules.

For additional context, my end goal is to be able to determine, given a source IP/subnet, destination IP/subnet, and protocol-port, whether or not a firewall flow is allowed in a particular policy. If there is a better way to accomplish this other than searching the ruleset and matching the fields as I've described above, please let me know.

Is there a way to replicate this behavior with fp-ngfw-smc-python? In other words, using the above scenario, is there a way to obtain all 20 rules?

Thanks in advance.

Lock an smc element

Hello,

How can I lock an element (Group, Network, ...)?

SMC version is 6.8.12
fp-NGFW-SMC-python version is 1.0.20

Thanks.

forcepoint / fp-ngfw-smc-python Goto Github PK

fp-ngfw-smc-python's Introduction

smc-python

Requirements

Getting Started

Testing

Basics

Extensions

Pull Requests

Documentation

fp-ngfw-smc-python's People

Contributors

Stargazers

Watchers

Forkers

fp-ngfw-smc-python's Issues

-------------------------- creating the rule --------------------------

How to reproduce

Where is the problem

Recommend Projects

Recommend Topics

Recommend Org