forcepoint / fp-ngfw-smc-python Goto Github PK
View Code? Open in Web Editor NEWForcepoint NGFW Management Center Python API
Home Page: https://support.forcepoint.com/s/article/How-to-Start-Using-SMC-API
License: Apache License 2.0
Forcepoint NGFW Management Center Python API
Home Page: https://support.forcepoint.com/s/article/How-to-Start-Using-SMC-API
License: Apache License 2.0
Hello
I am trying to get the expiration date, and for that I am using the smc.core.engine.VPN
and gateway_certificate .
But the list do not return it !
print(list(engineC0xxxx.vpn.gateway_certificate))
[GatewayCertificate(name=<O=Forcepoint, CN=LISC0xxxxSDW00 - Primary> RSA / SHA-256), GatewayCertificate(name=<O=Forcepoint, CN=LISC0xxxxSDW00 - Primary> RSA / SHA-256)]
Could you give me some tips ?
Hello,
I try to configure a DHCP relay on an interface.
I tried with following parameters but it doesn't work :
Is there a possibility to do this?
I use fp-NGFW-SMC-python 0.7.0b23.
Best regards,
Etienne
Hi,
I have two open issues from the previous session and I thought it would be better to gather them neatly here:
if there was a way to directly get all the networks that contains a particular host without going through all the networks that exist in the smc it would be very useful for a lot of applications.
I'm working on some project of real-time rules search in the firewall and currently these two issues prevent me from running it in a reasonable amount of time. I would love to have your help:)
Thanks
Hello,
I try to update an IPv4 Access Rule. It doesn't work with rule.update() method or rule.save() method.
Is it possible to update a rule?
I use fp-NGFW-SMC-python==0.7.0b26 and SMC 6.5.17.
With update method and host object or href of host object :
policy = FirewallPolicy("policy_name")
rule = list(policy.fw_ipv4_access_rules)[-1]
one_host = Host("host_name")
rule.update(sources=[one_host])
rule.update(sources=[one_host.href])
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "C:\Users\user_name\AppData\Local\Programs\Python\Python37\lib\site-packages\smc\policy\rule.py", line 290, in update
result = super(Rule, self).update(PolicyCommandFailed, **kwargs)
File "C:\Users\user_name\AppData\Local\Programs\Python\Python37\lib\site-packages\smc\base\model.py", line 494, in update
result = request.update()
File "C:\Users\user_name\AppData\Local\Programs\Python\Python37\lib\site-packages\smc\api\common.py", line 72, in update
return self._make_request(method='PUT')
File "C:\Users\user_name\AppData\Local\Programs\Python\Python37\lib\site-packages\smc\api\common.py", line 101, in _make_request
raise err
smc.api.exceptions.PolicyCommandFailed: Invalid JSON format: Cannot deserialize instance of `com.stonesoft.api.v11.elements.dto.storable.policy.SrcMatchPartDTO` out of START_ARRAY token at [line: 1, column: 1558] (from: FWIPv4AccessRuleDTO["sources"]).
With save method:
rule.sources.src = [one_host.href]
rule.save()
rule.sources.src
>>> list of href before change
Best regards,
Etienne MILON
Hello,
I am having trouble finding a way to conclusively search a firewall policy's ruleset for all rules matching a given network element IP. Within the SMC GUI, when you preview a Firewall Policy, you can search that policy via clicking the gear cog icon in the top right corner and selecting "Search Rules". This allows you to input a IP address or Subnet within one of the fields, and the SMC will show you all matching rules in which that source IP or subnet is contained in that particular slot. This search is recursive in that it will also show you rules in which a group is used, if that group contains your target subnet or IP.
For example, let's say I have a network element "net_A" with address 1.2.3.0/24 which is referenced in 5 rules within a policy. Let us say net_A is also included in a group "group_A" and group_A is used within 15 rules in a policy. When searching with the firewall API, I am able to pull all rules from a policy and iterate through them, comparing the values in the source and destination fields via element name, or resolving each element and comparing by value. However, this will not include the references where group_A is used, so I would only find 5 rules instead of 20 matching rules.
I have tried replicating the recursion manually, but for large groups this takes a long time, especially taking into account nested groups of multiple levels. When the SMC GUI performs this search, this slowness is not observed. Using the above scenario, if I were to search using the SMC GUI search function, it would show me 20 rules.
For additional context, my end goal is to be able to determine, given a source IP/subnet, destination IP/subnet, and protocol-port, whether or not a firewall flow is allowed in a particular policy. If there is a better way to accomplish this other than searching the ruleset and matching the fields as I've described above, please let me know.
Is there a way to replicate this behavior with fp-ngfw-smc-python? In other words, using the above scenario, is there a way to obtain all 20 rules?
Thanks in advance.
using this code the rules are not created please help
"
for line in csv_reader:
try:
policy.fw_ipv4_access_rules.create(name=line[0], sources=line[1], destinations=line[2], services=line[3], action=line[4])
except:
pass
"
I want to collect logs of specific access rule on SMC then analyze these logs and propose the recommended access rules to be created as per these logs.
How to do that?
Also how to use python machine learning for achieving this goal?
Hi,
I am trying to create a Route-Based VPN Tunnel between two Firewalls but I get this error: "Impossible to store the element XXX".
Is something that I am missing?
Below is the function I created:
def create_rbvpn(fw1, fw2, interface_id, comment):
engine1 = Engine(str(fw1))
engine2 = Engine(str(fw2))
engine1.tunnel_interface.add_cluster_virtual_interface(interface_id = interface_id, comment=comment)
engine2.tunnel_interface.add_cluster_virtual_interface(interface_id = interface_id, comment=comment)
TunnelMonitoringGroup.create(name=comment, comment=comment)
local_endpoint = TunnelEndpoint(gateway_ref=engine1.href, tunnel_interface_ref=engine1.tunnel_interface.get(interface_id).href)
print(local_endpoint)
remote_endpoint=TunnelEndpoint(gateway_ref=engine2.href, tunnel_interface_ref=engine2.tunnel_interface.get(interface_id).href)
print(remote_endpoint)
RouteVPN.create_ipsec_tunnel(name=comment,
local_endpoint = local_endpoint,
remote_endpoint = remote_endpoint,
monitoring_group=TunnelMonitoringGroup(comment),
vpn_profile=VPNProfile("Suite-B-GCM-256"),
comment=comment)
Hi,
is there any Go SDK for the SMC API? This repository is about the Python version and I hope that there might be a Go SDK, too.
... to have would be very helpful these days ...
Hello,
Is it possible to enable or disable VPN Site in Policy Based VPN Topology ?
I am doing something like that :
pb_vpn = PolicyVPN.get("VPN_name")
pb_vpn.open()
list(list(pb_vpn.satellite_gateway_node)[0].enabled_sites)
list(list(pb_vpn.satellite_gateway_node)[0].disabled_sites)
=> I can see enabled and disabled sites
But when trying to update :
list(pb_vpn.satellite_gateway_node)[0].update(enabled_sites=[])
>>> smc.api.exceptions.UpdateElementFailed: Invalid JSON format: At line 1 and column 713, enabled_sites is not recognized as JSON attribute.
Do you know if there is another way to do this please ?
Hi,
I tried to search a rule rule using the smc api but it looks like there is some problem with the class smc\base\model.
I will appreciate if someone could help me with this.
this is the main code:
session.login(url=SMC_URL, api_key=API_KEY, verify=False, timeout=120, api_version=API_VERSION)
p = FirewallPolicy("Vamsi")
print(p.search_rule('@2187085.0'))
session.logout()
this is the error msg:
Traceback (most recent call last):
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\main.py", line 53, in
print(p.search_rule('@2187085.0'))
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\policy\policy.py", line 110, in search_rule
result = self.make_request(resource="search_rule", params={"filter": search})
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\mixins.py", line 26, in make_request
kwargs.update(href=self.data.get_link(kwargs.pop("resource")))
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\model.py", line 413, in getattr
if "typeof" not in key and key in self.data:
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\model.py", line 413, in getattr
if "typeof" not in key and key in self.data:
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\model.py", line 413, in getattr
if "typeof" not in key and key in self.data:
[Previous line repeated 989 more times]
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\decorators.py", line 86, in get
value = obj.dict[self.func.name] = self.func(obj)
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\model.py", line 375, in data
return LoadElement(self.href)
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\base\model.py", line 99, in LoadElement
request = SMCRequest(href=href)
File "C:\Users\smana\PycharmProjects\smcAPI\fp-NGFW-SMC-python-master\smc\api\common.py", line 69, in init
for k, v in kwargs.items():
RecursionError: maximum recursion depth exceeded while calling a Python object
INFO:smc.api.session:Logged out admin: 102895415245 of domain: Shared Domain successfully
thanks
Hello,
I dont know if I missed something, I have to create a exceptions on a Phase-1 ID (change default IP addres ID to a email ID to a specific PolicyVPN.
However, i dont find a way to make this :
e = Engine("ClusterFW-1")
endpoints = list(e.vpn_endpoint.all())
ep = endpoints[0]
pprint(vars(ep.data))
{'_etag': '"MTMzOTgwMjExNjk3NjE1MDE4OTQ0"',
'data': {'address': '10.0.10.1',
'connection_type_ref': 'http://X.X.X.X:8082/6.10/elements/connection_type/4',
'deducted_name': '10.0.10.1',
'dynamic': False,
'enabled': True,
'force_nat_t': False,
'ike_phase1_id_type': 3,
'ipsec_vpn': True,
'key': 1339,
'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/fw_cluster/5588/internal_gateway/1340/internal_endpoint/1339',
'rel': 'self',
'type': 'internal_endpoint'},
{'href': 'http://X.X.X.X:8082/6.10/elements/fw_cluster/5588/internal_gateway/1340/internal_endpoint/1339/history',
'rel': 'history'},
{'href': 'http://X.X.X.X:8082/6.10/elements/fw_cluster/5588/internal_gateway/1340/internal_endpoint/1339/lock',
'rel': 'lock'}],
'locked': False,
'nat_t': True,
'physical_interface': 'http://X.X.X.X:8082/6.10/elements/fw_cluster/5588/physical_interface/1337',
'read_only': False,
'ssl_vpn_portal': True,
'ssl_vpn_tunnel': True,
'system': False,
'system_key': -1,
'trashed': False,
'udp_encapsulation': False}}
In this exemple, the exceptions is created on this printed endpoint, but we dont saw data dedicated to that ...
Information of my environement :
session.api_version = 6.10
pip list | grep SMC
fp-NGFW-SMC-python 1.0.21
Thank you in advance for your help.
Kind regards,
Fgazelot
Hi @gabstopper,
I've encountered the following bug while playing around with the API.
smc python version: 0.6.2 (according to pip freeze
)
Last debug output:
Response status: 200
Response headers:
'ETag': '"NTQ4NDk5OWViNDVlZTdhYTY4ODliODFlOGU2MzdjMTY="'
'Content-Type': 'application/json'
'Transfer-Encoding': 'chunked'
'Date': 'Wed, 01 Jul 2020 09:52:21 GMT'
Response content:
{"result":[{"href":"http://192.168.10.73:8082/6.7/elements/ip_list/23139","name":"freevpn.gg","type":"ip_list"}]}
http://192.168.10.73:8082 "POST /6.7/elements/sub_ipv4_fw_policy/46/fw_ipv4_access_rule HTTP/1.1" 400 None
Request method: POST
Request URL: http://192.168.10.73:8082/6.7/elements/sub_ipv4_fw_policy/46/fw_ipv4_access_rule
Request headers:
'User-Agent': 'python-requests/2.24.0'
'Accept-Encoding': 'gzip, deflate'
'Accept': '*/*'
'Connection': 'keep-alive'
'Content-Type': 'application/json'
'Cookie': 'JSESSIONID=2DD363BC335AF3842F8C785A0F1393DA'
'Content-Length': '685'
Request body:
{"sources": {"any": true}, "destinations": {"dst": ["http://192.168.10.73:8082/6.7/elements/ip_list/23139"]}, "services": {"any": true}, "name": "freevpn.gg", "comment": "dies ist ein test", "action": {"action": "discard", "connection_tracking_options": {"mss_enforced": false, "mss_enforced_max": 0, "mss_enforced_min": 0, "timeout": -1}, "scan_detection": "undefined"}, "options": {"log_accounting_info_mode": false, "log_closing_mode": true, "log_level": "undefined", "log_payload_additionnal": false, "log_payload_excerpt": false, "log_payload_record": false, "log_severity": -1}, "authentication_options": {"methods": [], "require_auth": false, "users": []}, "is_disabled": false}
Response status: 400
Response headers:
'Content-Type': 'application/json'
'Transfer-Encoding': 'chunked'
'Date': 'Wed, 01 Jul 2020 09:52:21 GMT'
'Connection': 'close'
Response content:
{"details":["Invalid JSON format: Cannot deserialize instance of `java.util.ArrayList` out of VALUE_STRING token at [line: 1, column: 213] (from: FWRuleActionDTO[\"action\"])."],"status":0}
Traceback (most recent call last):
File "avency-blockctl.py", line 154, in <module>
Blockctl()
File "avency-blockctl.py", line 146, in __init__
self.apply_blacklists(config, args)
File "avency-blockctl.py", line 126, in apply_blacklists
policy.fw_ipv4_access_rules.create(name=bl['name'], services='any', sources='any', destinations=[smc.elements.network.IPList(bl['name'])], action='discard', comment=bl['comment'])
File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/policy/rule.py", line 570, in create
return ElementCreator(
File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/base/decorators.py", line 103, in run
return function(cls, json, **kwargs)
File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/base/model.py", line 115, in ElementCreator
result = SMCRequest(
File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/api/common.py", line 66, in create
return self._make_request(method='POST')
File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/api/common.py", line 101, in _make_request
raise err
smc.api.exceptions.CreateRuleFailed: Invalid JSON format: Cannot deserialize instance of `java.util.ArrayList` out of VALUE_STRING token at [line: 1, column: 213] (from: FWRuleActionDTO["action"]).
Resetting dropped connection: 192.168.10.73
http://192.168.10.73:8082 "PUT /6.7/logout HTTP/1.1" 204 0
Logged out admin: Christian R. (Superuser) of domain: Shared Domain successfully
Call counters: Counter({'read': 6, 'create': 3, 'update': 0, 'delete': 0, 'cache': 0})
You can see my function call in the stacktrace:
policy.fw_ipv4_access_rules.create(name=bl['name'], services='any', sources='any', destinations=[smc.elements.network.IPList(bl['name'])], action='discard', comment=bl['comment'])
During error it has been initialized correctly as you can see in the REST request:
{"sources": {"any": true}, "destinations": {"dst": ["http://192.168.10.73:8082/6.7/elements/ip_list/23139"]}, "services": {"any": true}, "name": "freevpn.gg", "comment": "dies ist ein test", "action": {"action": "discard", "connection_tracking_options": {"mss_enforced": false, "mss_enforced_max": 0, "mss_enforced_min": 0, "timeout": -1}, "scan_detection": "undefined"}, "options": {"log_accounting_info_mode": false, "log_closing_mode": true, "log_level": "undefined", "log_payload_additionnal": false, "log_payload_excerpt": false, "log_payload_record": false, "log_severity": -1}, "authentication_options": {"methods": [], "require_auth": false, "users": []}, "is_disabled": false}
"action": {"action": "discard"...
should be the correct Action name, right?
I have checked the rules.py
file in the SMC-python project and it clearly states that discard
is a valid operation.
Is this a bug with python 3.8.0?
Hi,
While trying a new Firewall subpolicy I get this error message here:
Using SMC API version: 6.7
Traceback (most recent call last):
File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/home/chris/.vscode-oss/extensions/ms-python.python-2020.7.96456/pythonFiles/lib/python/debugpy/__main__.py", line 45, in <module>
cli.main()
File "/home/chris/.vscode-oss/extensions/ms-python.python-2020.7.96456/pythonFiles/lib/python/debugpy/../debugpy/server/cli.py", line 430, in main
run()
File "/home/chris/.vscode-oss/extensions/ms-python.python-2020.7.96456/pythonFiles/lib/python/debugpy/../debugpy/server/cli.py", line 267, in run_file
runpy.run_path(options.target, run_name=compat.force_str("__main__"))
File "/usr/lib/python3.8/runpy.py", line 265, in run_path
return _run_module_code(code, init_globals, run_name,
File "/usr/lib/python3.8/runpy.py", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/home/chris/avency/avency-blockctl/avency-blockctl.py", line 247, in <module>
Blockctl()
File "/home/chris/avency/avency-blockctl/avency-blockctl.py", line 238, in __init__
self.apply_blocklists(config, args)
File "/home/chris/avency/avency-blockctl/avency-blockctl.py", line 180, in apply_blocklists
policy = smc.policy.layer3.FirewallSubPolicy.create('avency-blockctl')
File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/policy/layer3.py", line 189, in create
return ElementCreator(cls, json={'name': name})
File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/base/decorators.py", line 103, in run
return function(cls, json, **kwargs)
File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/base/model.py", line 115, in ElementCreator
result = SMCRequest(
File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/api/common.py", line 66, in create
return self._make_request(method='POST')
File "/home/chris/.virtualenvs/avency-blockctl/lib/python3.8/site-packages/smc/api/common.py", line 101, in _make_request
raise err
smc.api.exceptions.CreateElementFailed: No message returned from SMC server
Logout status was unexpected. Received response with status code: 500
API Version is: "6.7"
Python 3.8
I tested this with the latest tag from this repo and the develop branch from @gabstopper
No message returned from SMC server
is not very verbose.. is this maybe a permission problem?
If we configured API on SMC to use HTTPS protocol, How to communicate HTTPS to SMC API using fp-NGFW-SMC-Python and do everything with SMC via HTTPS?
Hello,
I'm trying to create a session with an INI file but I'm running into SSL warnings of the following kind:
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:1015: InsecureRequestWarning: Unverified HTTPS request is being made to host '$IP'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
warnings.warn(
What is the equivalent INI syntax of the following which doesn't throw warnings?
session.login(url='https://$FQN:8082', api_key='$APIKEY', api_version='6.10', verify=True)
How exactly do the above argument "verify=True" and the below "verify_ssl=True" differ? According to
fp-NGFW-SMC-python/smc/api/configloader.py
Line 137 in 6b90a32
$ cat .smcrc
smc_address=$IP
smc_apikey=$APIKEY
api_version=6.10
smc_port=8082
smc_ssl=True
verify_ssl=True
(c.f. https://fp-ngfw-smc-python.readthedocs.io/en/latest/pages/session.html#creating-the-session )
Thanks.
Hello,
How can I lock an element (Group, Network, ...)?
SMC version is 6.8.12
fp-NGFW-SMC-python version is 1.0.20
Thanks.
Hi,
I just realized that you do not support adding URL blocklist via SMC API yet. Is there any plan to support this in the future?
Hi,
Please use Git tags instead of commit title to version this library.
Best regards,
Hi everyone,
Is there already an estimation to when SMC 6.8 will be supported? Or is this even planned?
Currently im having some issues with a script as there seem to be some changes regarding the group api entrypoints. Atleast the methods which I used in 6.7 dont work anymore.
Best Regards
Alrexxar
Hello,
I dont know if it's only on my environement, but i get a error when i tried to use function 'interface_id' from a endpoint when this endpoint is set with DHCP :
How to reproduce the error :
Engine interfaces :
engine = Engine("FOO")
for i in engine.interface:
pprint(i.data.data)
{'aggregate_mode': 'none',
'arp_entry': [],
'cvi_mode': 'none',
'dhcp_server_on_interface': {'default_gateway': 'X.X.X.X',
'default_lease_time': 36000,
'dhcp_address_range': 'X.X.X.X-X.X.X.X',
'dhcp_range_per_node': [],
'domain_name_search_list': 'x;x;x;x',
'primary_dns_server': 'X.X.X.X',
'secondary_dns_server': 'X.X.X.X'},
'duplicate_address_detection': True,
'include_prefix_info_option_flag': False,
'interface_id': '4',
'interfaces': [{'single_node_interface': {'address': 'X.X.X.X',
'apn': 'internet',
'auth_request': True,
'auth_request_source': False,
'automatic_default_route': False,
'backup_heartbeat': False,
'backup_mgt': False,
'domain_specific_dns_queries_source': False,
'dynamic': False,
'igmp_mode': 'none',
'key': 268444176,
'network_value': 'X.X.X.X/25',
'nicid': '4',
'nodeid': 1,
'outgoing': True,
'phone_number': '*99#',
'pppoa': False,
'pppoe': False,
'primary_heartbeat': False,
'primary_mgt': False,
'relayed_by_dhcp': False,
'reverse_connection': False,
'vrrp': False,
'vrrp_id': -1,
'vrrp_priority': -1}}],
'key': 268444809,
'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/physical_interface/268444809',
'rel': 'self',
'type': 'physical_interface'}],
'lldp_mode': 'disabled',
'log_moderation': [],
'managed_address_flag': False,
'mtu': -1,
'name': 'Interface 4',
'other_configuration_flag': False,
'override_engine_settings': False,
'override_log_moderation_settings': False,
'qos_limit': -1,
'qos_mode': 'no_qos',
'route_replies_back_mode': False,
'router_advertisement': False,
'set_autonomous_address_flag': False,
'shared_interface': False,
'syn_mode': 'default',
'sync_parameter': {'full_sync_interval': 5000,
'heartbeat_group_ip': '224.0.0.221',
'incr_sync_interval': 50,
'statesync_group_ip': '224.0.0.222',
'sync_mode': 'sync_all',
'sync_security': 'sign'},
'virtual_engine_vlan_ok': False,
'virtual_resource_settings': [],
'vlanInterfaces': []}
{'adjust_antispoofing': True,
'arp_entry': [],
'comment': 'VPN Broker - EUA Domain',
'dhcp_server_on_interface': {'default_lease_time': 7200,
'dhcp_range_per_node': []},
'duplicate_address_detection': True,
'gateway_ref': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240',
'include_prefix_info_option_flag': False,
'interface_id': 'VPN_0',
'interfaces': [{'single_node_interface': {'address': 'X.X.X.X',
'apn': 'internet',
'auth_request': False,
'auth_request_source': False,
'automatic_default_route': False,
'backup_heartbeat': False,
'backup_mgt': False,
'domain_specific_dns_queries_source': False,
'dynamic': False,
'igmp_mode': 'none',
'key': 268444178,
'network_value': 'X.X.X.X/21',
'nicid': 'VPN_0',
'nodeid': 1,
'outgoing': False,
'phone_number': '*99#',
'pppoa': False,
'pppoe': False,
'primary_heartbeat': False,
'primary_mgt': False,
'relayed_by_dhcp': False,
'reverse_connection': False,
'vrrp': False,
'vrrp_id': -1,
'vrrp_priority': -1}}],
'key': 268444811,
'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/vpn_broker_interface/268444811',
'rel': 'self',
'type': 'vpn_broker_interface'}],
'log_moderation': [],
'mac_address_postfix': 'fa:02:19',
'managed_address_flag': False,
'mtu': -1,
'name': 'VPN Broker Interface 0',
'other_configuration_flag': False,
'override_engine_settings': False,
'override_log_moderation_settings': False,
'qos_limit': -1,
'qos_mode': 'no_qos',
'retrieve_routes': 'true',
'router_advertisement': False,
'set_autonomous_address_flag': False,
'shared_interface': False,
'shared_secret': '*****',
'syn_mode': 'default',
'virtual_resource_settings': [],
'vpn_broker_domain_ref': 'http:/X.X.X.X8082/6.10/elements/vpn_broker_domain/268435460'}
{'aggregate_mode': 'none',
'arp_entry': [],
'cvi_mode': 'none',
'dhcp_server_on_interface': {'default_lease_time': 7200,
'dhcp_range_per_node': []},
'duplicate_address_detection': True,
'include_prefix_info_option_flag': False,
'interface_id': '0',
'interfaces': [{'single_node_interface': {'apn': 'internet',
'auth_request': False,
'auth_request_source': False,
'automatic_default_route': True,
'backup_heartbeat': False,
'backup_mgt': False,
'domain_specific_dns_queries_source': False,
'dynamic': True,
'dynamic_index': 1,
'igmp_mode': 'none',
'key': 268444177,
'nicid': '0',
'nodeid': 1,
'outgoing': False,
'phone_number': '*99#',
'pppoa': False,
'pppoe': False,
'primary_heartbeat': False,
'primary_mgt': True,
'relayed_by_dhcp': False,
'reverse_connection': True,
'vrrp': False,
'vrrp_id': -1,
'vrrp_priority': -1}}],
'key': 268444810,
'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/physical_interface/268444810',
'rel': 'self',
'type': 'physical_interface'}],
'lldp_mode': 'disabled',
'log_moderation': [],
'managed_address_flag': False,
'mtu': -1,
'name': 'Interface 0',
'other_configuration_flag': False,
'override_engine_settings': False,
'override_log_moderation_settings': False,
'qos_limit': -1,
'qos_mode': 'no_qos',
'route_replies_back_mode': False,
'router_advertisement': False,
'set_autonomous_address_flag': False,
'shared_interface': False,
'syn_mode': 'default',
'sync_parameter': {'full_sync_interval': 5000,
'heartbeat_group_ip': '224.0.0.221',
'incr_sync_interval': 50,
'statesync_group_ip': '224.0.0.222',
'sync_mode': 'sync_all',
'sync_security': 'sign'},
'virtual_engine_vlan_ok': False,
'virtual_resource_settings': [],
'vlanInterfaces': []}
engine.vpn_endpoint
InternalEndpointCollection(items: 3)
vpn_endpoints = engine.vpn_endpoint
for endpoint in vpn_endpoints:
pprint(endpoint.interface_id)
Result :
'4'
'VPN_0'
Folowed by this Error :
---------------------------------------------------------------------------
ValueError Traceback (most recent call last)
<ipython-input-15-d277499e4914> in <module>
1 for endpoint in vpn_endpoints:
----> 2 pprint(endpoint.interface_id)
3
4
~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/core/engine.py in interface_id(self)
2164 :return: str interface id
2165 """
-> 2166 return self.physical_interface.interface_id
2167
2168 @property
~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/core/interfaces.py in interface_id(self)
706 :rtype: str
707 """
--> 708 return self.data.get("interface_id")
709
710 @interface_id.setter
~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/base/decorators.py in __get__(self, obj, cls)
95 if obj is None:
96 return self
---> 97 value = obj.__dict__[self.func.__name__] = self.func(obj)
98 return value
99
~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/base/model.py in data(self)
384 @cached_property
385 def data(self):
--> 386 return LoadElement(self.href)
387
388 @property
~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/base/model.py in LoadElement(href, only_etag)
113 if only_etag:
114 return result.etag
--> 115 return ElementCache(result.json, etag=result.etag)
116
117
~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/base/model.py in __init__(self, data, **kw)
170 def __init__(self, data=None, **kw):
171 self._etag = kw.pop("etag", None)
--> 172 super(ElementCache, self).__init__(data=data if data else {})
173
174 def etag(self, href):
~/Documents/newlode/dev/cust-bv-sase-ipsec/.direnv/python-3.6/lib/python3.6/site-packages/smc/base/structs.py in __init__(self, data, **kwargs)
156 def __init__(self, data=None, **kwargs):
157 self.data = data if data else {}
--> 158 self.update(self.data, **kwargs)
159
160 def __setitem__(self, key, value):
~/.pyenv/versions/3.6.15/lib/python3.6/_collections_abc.py in update(*args, **kwds)
844 self[key] = other[key]
845 else:
--> 846 for key, value in other:
847 self[key] = value
848 for key, value in kwds.items():
ValueError: too many values to unpack (expected 2)
The Endpoint data :
{'address': '10.157.24.1',
'connection_type_ref': 'http://X.X.X.X:8082/6.10/elements/connection_type/1',
'deducted_name': '10.157.24.1',
'dynamic': False,
'enabled': False,
'force_nat_t': False,
'ike_phase1_id_type': 3,
'ipsec_vpn': True,
'key': 268443370,
'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443370',
'rel': 'self',
'type': 'internal_endpoint'},
{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443370/history',
'rel': 'history'},
{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443370/lock',
'rel': 'lock'}],
'locked': False,
'nat_t': True,
'physical_interface': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/physical_interface/268444809',
'read_only': False,
'ssl_vpn_portal': True,
'ssl_vpn_tunnel': True,
'system': False,
'system_key': -1,
'trashed': False,
'udp_encapsulation': False}
{'address': '172.16.2.30',
'connection_type_ref': 'http://X.X.X.X:8082/6.10/elements/connection_type/1',
'deducted_name': '172.16.2.30',
'dynamic': False,
'enabled': False,
'force_nat_t': False,
'ike_phase1_id_type': 3,
'ipsec_vpn': True,
'key': 268443371,
'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443371',
'rel': 'self',
'type': 'internal_endpoint'},
{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443371/history',
'rel': 'history'},
{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443371/lock',
'rel': 'lock'}],
'locked': False,
'nat_t': True,
'physical_interface': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/vpn_broker_interface/268444811',
'read_only': False,
'ssl_vpn_portal': True,
'ssl_vpn_tunnel': True,
'system': False,
'system_key': -1,
'trashed': False,
'udp_encapsulation': False}
{'connection_type_ref': 'http://X.X.X.X:8082/6.10/elements/connection_type/268435467',
'deducted_name': 'First DHCP Interface ip',
'dynamic': True,
'enabled': True,
'force_nat_t': False,
'ike_phase1_id_type': 1,
'ike_phase1_id_value': '[email protected]',
'ipsec_vpn': True,
'key': 268443372,
'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443372',
'rel': 'self',
'type': 'internal_endpoint'},
{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443372/history',
'rel': 'history'},
{'href': 'http://X.X.X.X:8082/6.10/elements/single_fw/268492219/internal_gateway/268437240/internal_endpoint/268443372/lock',
'rel': 'lock'}],
'locked': False,
'nat_t': True,
'read_only': False,
'ssl_vpn_portal': False,
'ssl_vpn_tunnel': False,
'system': False,
'system_key': -1,
'trashed': False,
'udp_encapsulation': False}
As you can see, we dont have the key "physical_interface" in the Endpoint 3 (dhcp mode)
Information of my environement :
session.api_version = 6.10
pip list | grep SMC
fp-NGFW-SMC-python 1.0.21
Thank you in advance for your help
Kind regards,
Fgazelot
Hello,
After updating to a more recent version of this library, we encountered an unexpected change in our automatically generated "jump" rules. The action of these rules was changed to "allow" after calling .save() .
This behavior seems to have been introduced in commit 45faf15 . This commit changed the default of the .update() method to action="allow" . Since the .save() method calls .update() without any arguments, calling .save() on a rule with any other action than "allow" leads to an unexpected change.
As a workaround, I changed our Scripts to directly call the .update() method with the correct action, but this seems to be an unintended consequence of the change in the .update() behavior and should probably be addressed in the library.
Best regards,
Sebastian
Hello,
I'm working on a script to add/remove blacklist automatically.
To optimize my API calls, I get the list of current blacklist.
But if the blacklist entries is empty, my script is stuck.
The blacklist entries need to be empty.
query = BlacklistQuery("TEST-CLUSTER")
for bl in query.fetch_as_element():
print(bl)
You will be stuck at the statement query.fetch_as_element()
If you call query.fetch_as_element()
, you will call the method inside smc_monitoring/monitors/blacklist.py
Extract:
for list_of_results in clone.fetch_raw(**kw):
for entry in list_of_results:
data = entry.get('bldata')
data.update(**entry.get('blid'))
yield BlacklistEntry(**data)
The problem in inside the method fetch_raw
from smc_monitoring/models/query.py
Extract:
with SMCSocketProtocol(self, **self.sockopt) as protocol:
for result in protocol.receive():
if 'records' in result and result['records'].get('added'):
yield result['records']['added']
iteration += 1
if records
is not in result
, you will never reach the 'yield' statement and block here.
You will need to change the function with something like :
with SMCSocketProtocol(self, **self.sockopt) as protocol:
for result in protocol.receive():
if 'records' in result and result['records'].get('added'):
yield result['records']['added']
iteration += 1
else:
return
Or maybe there is something I don't understant an how works the API.
Thanks in advance.
Regards, Chris.
Hello,
since recently I get the following error when importing "smc"; I don't remember changing anything apart from general updating via "apt upgrade". I even tried with a fresh user "test":
$ cat test.py
#!/usr/bin/env python3
import smc
$ ./test.py
Traceback (most recent call last):
File "/home/test/ngfw/./test.py", line 2, in <module>
import smc
File "/home/test/.local/lib/python3.10/site-packages/smc/__init__.py", line 2, in <module>
import smc.api.session
File "/home/test/.local/lib/python3.10/site-packages/smc/api/session.py", line 9, in <module>
from smc.api.entry_point import Resource
File "/home/test/.local/lib/python3.10/site-packages/smc/api/entry_point.py", line 6, in <module>
from smc.base.structs import SerializedIterable
File "/home/test/.local/lib/python3.10/site-packages/smc/base/structs.py", line 126, in <module>
class NestedDict(collections.MutableMapping):
AttributeError: module 'collections' has no attribute 'MutableMapping'
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.10"
NAME="Ubuntu"
VERSION_ID="22.10"
VERSION="22.10 (Kinetic Kudu)"
VERSION_CODENAME=kinetic
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=kinetic
LOGO=ubuntu-logo
$ dpkg --list python3-pip python3
...
ii python3 3.10.6-1 amd64 interactive high-level object-oriented language (default python3 version)
ii python3-pip 22.2+dfsg-1ubuntu0.2 all Python package installer
I tried reinstalling the package via pip3 install --force-reinstall smc-python
without success.
Kind thanks for any idea how I got there and how to repair it.
Hello,
When I use the function FirewallCluster.create in smc.core.engines, the option "Automated RSA Certificate Management" in the menu "VPN > Certificate" is not enabled.
I don't find this option in the function or in the engine properties.
Is there a way to enable it when creating the engine or after?
Best regards,
Etienne
Hello,
I'm working on the migration to my script worked on SMC 6.5 to SMC 6.8 and make the switch from "smc-python" to "fp-NGFW-SMC-python" at the same time.
When i try to create my MultilinkMember for my Multilink, i have this issue :
Traceback (most recent call last):
File "test-oml.py", line 46, in <module>
create_multilinks()
File "test-oml.py", line 26, in create_multilinks
l_ml_member.extend(MultilinkMember.create(netlink=snl1, netlink_role='active', ip_range='6.1.1.1-6.1.1.254'))
File "/home/fgt/Documents/newlode/dev/ats-test-68/atsRunSdwan/env/lib/python3.8/site-packages/smc/elements/netlink.py", line 523, in create
member_def.update(network_ref=netlink.network[0].href)
IndexError: list index out of range
I have created a little script to create the issue, on this script i have this function :
def create_multilinks():
snl1 = list(Search.objects.all().filter('SNL_Premier-ISP'))[0]
snl2 = list(Search.objects.all().filter('SNL_Second-ISP'))[0]
l_ml_member = list()
print('SNL1\n', snl1.data.data)
print('SNL2\n', snl2.data.data)
print('SNL1.network\n', snl1.network)
print('SNL2.network\n', snl2.network)
l_ml_member.extend(MultilinkMember.create(netlink=snl1, netlink_role='active', ip_range='6.1.1.1-6.1.1.254'))
l_ml_member.extend(MultilinkMember.create(netlink=snl2, netlink_role='standby', ip_range='1.1.2.1-1.1.2.254'))
res = Multilink.update_or_create(with_status=True,
name="OML_TEST",
multilink_members=l_ml_member)
return res
The output of my print :
SNL1
{'active_mode_period': 5, 'active_mode_timeout': 1, 'domain_server_address': [], 'gateway_ref': 'http://X.X.X.X:8082/6.5/elements/router/7249', 'key': 7250, 'link': [{'href': 'http://X.X.X.X8082/6.5/elements/netlink/7250', 'rel': 'self', 'type': 'netlink'}, {'href': 'http://X.X.X.X.68:8082/6.5/elements/netlink/7250/export', 'rel': 'export'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7250/history', 'rel': 'history'}, {'href': 'http://X.X.X.X8082/6.5/elements/netlink/7250/search_category_tags_from_element', 'rel': 'search_category_tags_from_element'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7250/duplicate', 'rel': 'duplicate'}], 'name': 'SNL_Premier-ISP', 'nsp_name': '', 'probe_address': [], 'read_only': False, 'ref': ['http:/X.X.X.X:8082/6.5/elements/network/7243'], 'standby_mode_period': 3600, 'standby_mode_timeout': 30, 'system': False, 'system_key': -1}
SNL2
{'active_mode_period': 5, 'active_mode_timeout': 1, 'domain_server_address': [], 'gateway_ref': 'http://X.X.X.X :8082/6.5/elements/router/7252', 'key': 7253, 'link': [{'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7253', 'rel': 'self', 'type': 'netlink'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7253/export', 'rel': 'export'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7253/history', 'rel': 'history'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7253/search_category_tags_from_element', 'rel': 'search_category_tags_from_element'}, {'href': 'http://X.X.X.X:8082/6.5/elements/netlink/7253/duplicate', 'rel': 'duplicate'}], 'name': 'SNL_Second-ISP', 'probe_address': [], 'read_only': False, 'ref': ['http://X.X.X.X:8082/6.5/elements/network/7246'], 'standby_mode_period': 3600, 'standby_mode_timeout': 30, 'system': False, 'system_key': -1}
SNL1.network
[]
SNL2.network
[]
SNL1.ref
['http://X.X.X.X:8082/6.5/elements/network/7243']
SNL2.ref
['http://X.X.X.X:8082/6.5/elements/network/7246']
With the error, we can see in line 523 in "smc/elements/netlink.py" we try to get the ref of the network in the SNL with "network_ref=netlink.network[0].href", but you can see with my print the "snl.network" is empty and the ref wanted is on "snl.ref".
I have created the SNL with SMC, with python, with ansible and the result is all time the same -> snl.netwotk is empty
I tried to make snl.ref = snl.network and snl.update() but same result...
All work's correctly with this changeat line 523 :
if netlink.typeof == 'netlink': # static netlink vs dynamic netlink
#member_def.update(network_ref=netlink.network[0].href)
member_def.update(network_ref=str(netlink.ref))
Information of my environement :
In [8]: session.manager.sessions[0].api_version
Out[8]: '6.5'
pip list | grep SMC
fp-NGFW-SMC-python 1.0.0
I don't know if the issue is only in my environment.
Thank you in advance for your help.
Kind regards,
Fgazelot
With SMC version 7.0.3 [11326], and [email protected], when I run session.login
with all the right parameters, I get this error :
Error:root:Failed to get username, please make sure you can have 'Manage Administrator' in your role.
The user with the API key used in the example has "Viewer" role on "ALL API Client" and "ALL Elements" in "ALL DOMAINS". If I make this user Superuser, I do not see this exception, though.
Some details which might be useful:
$ pip list
Package Version
------------------ --------
certifi 2023.5.7
charset-normalizer 3.1.0
fp-NGFW-SMC-python 1.0.22
idna 3.4
pip 20.0.2
pkg-resources 0.0.0
pyserial 3.5
pytz 2023.3
requests 2.31.0
setuptools 44.0.0
urllib3 2.0.2
wheel 0.34.2
$ python --version
Python 3.8.10
The script used (api_key and api_url are hidden):
import logging
from smc import session
logging.getLogger()
logging.basicConfig(level=logging.DEBUG)
api_key="XXXXXXX"
api_url="https://XXXX:8082"
session.login(api_url, api_key=api_key, api_version='7.0') # Note that changing the version to 6.11 does not make any difference.
And the full output of the script, obviously still with API key and URL hidden.
$ python test_login.py
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): XXXX:8082
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /api HTTP/1.1" 200 None
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): XXXX:8082
DEBUG:urllib3.connectionpool:https://XXXX:8082 "POST /7.0/login HTTP/1.1" 200 0
INFO:smc.api.session:Using SMC API version: 7.0
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /7.0/api HTTP/1.1" 200 None
DEBUG:smc.api.session:Loaded entry points with obtained session.
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /7.0/system/current_user HTTP/1.1" 200 None
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /7.0/elements/api_client/6 HTTP/1.1" 400 None
DEBUG:smc.api.web:Request method: GET
DEBUG:smc.api.web:Request URL: https://XXXX:8082/7.0/elements/api_client/6
DEBUG:smc.api.web:Request headers:
DEBUG:smc.api.web: 'User-Agent': 'python-requests/2.31.0'
DEBUG:smc.api.web: 'Accept-Encoding': 'gzip, deflate'
DEBUG:smc.api.web: 'Accept': '*/*'
DEBUG:smc.api.web: 'Connection': 'keep-alive'
DEBUG:smc.api.web: 'Content-Type': 'application/json'
DEBUG:smc.api.web: 'Cookie': 'JSESSIONID=8E8A1AF6EC0D7C40DCCBE2D6C3916973'
DEBUG:smc.api.web: 'Content-Length': '2'
DEBUG:smc.api.web:Request body:
DEBUG:smc.api.web:b'{}'
DEBUG:smc.api.web:Response status: 400
DEBUG:smc.api.web:Response headers:
DEBUG:smc.api.web: 'Strict-Transport-Security': 'max-age=31536000;includeSubDomains'
DEBUG:smc.api.web: 'X-Frame-Options': 'DENY'
DEBUG:smc.api.web: 'X-Content-Type-Options': 'nosniff'
DEBUG:smc.api.web: 'X-XSS-Protection': '1; mode=block'
DEBUG:smc.api.web: 'Content-Type': 'application/json'
DEBUG:smc.api.web: 'Transfer-Encoding': 'chunked'
DEBUG:smc.api.web: 'Date': 'Mon, 05 Jun 2023 11:46:00 GMT'
DEBUG:smc.api.web: 'Connection': 'close'
DEBUG:smc.api.web:Response content:
DEBUG:smc.api.web:{"details":["You do not have the required permissions to perform this action.\nDetails:\nYou do not have the required permissions to perform this action. You must have API Client as a granted element."],"message":"Impossible to retrieve the element 6 of type api_client.","status":0}
ERROR:root:Failed to get username, please make sure you can have 'Manage Administrator' in your role
DEBUG:smc.api.session:Login succeeded for admin: 8792896761028 in domain: Shared Domain, session: JSESSIONID=8E8A1AF6EC0D7C40DCCBE2D6C3916973
DEBUG:urllib3.connectionpool:Resetting dropped connection: XXXX
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /7.0/system/current_user HTTP/1.1" 200 None
DEBUG:urllib3.connectionpool:https://XXXX:8082 "GET /7.0/elements/api_client/6 HTTP/1.1" 400 None
DEBUG:smc.api.web:Request method: GET
DEBUG:smc.api.web:Request URL: https://XXXX:8082/7.0/elements/api_client/6
DEBUG:smc.api.web:Request headers:
DEBUG:smc.api.web: 'User-Agent': 'python-requests/2.31.0'
DEBUG:smc.api.web: 'Accept-Encoding': 'gzip, deflate'
DEBUG:smc.api.web: 'Accept': '*/*'
DEBUG:smc.api.web: 'Connection': 'keep-alive'
DEBUG:smc.api.web: 'Content-Type': 'application/json'
DEBUG:smc.api.web: 'Cookie': 'JSESSIONID=8E8A1AF6EC0D7C40DCCBE2D6C3916973'
DEBUG:smc.api.web: 'Content-Length': '2'
DEBUG:smc.api.web:Request body:
DEBUG:smc.api.web:b'{}'
DEBUG:smc.api.web:Response status: 400
DEBUG:smc.api.web:Response headers:
DEBUG:smc.api.web: 'Strict-Transport-Security': 'max-age=31536000;includeSubDomains'
DEBUG:smc.api.web: 'X-Frame-Options': 'DENY'
DEBUG:smc.api.web: 'X-Content-Type-Options': 'nosniff'
DEBUG:smc.api.web: 'X-XSS-Protection': '1; mode=block'
DEBUG:smc.api.web: 'Content-Type': 'application/json'
DEBUG:smc.api.web: 'Transfer-Encoding': 'chunked'
DEBUG:smc.api.web: 'Date': 'Mon, 05 Jun 2023 11:46:00 GMT'
DEBUG:smc.api.web: 'Connection': 'close'
DEBUG:smc.api.web:Response content:
DEBUG:smc.api.web:{"details":["You do not have the required permissions to perform this action.\nDetails:\nYou do not have the required permissions to perform this action. You must have API Client as a granted element."],"message":"Impossible to retrieve the element 6 of type api_client.","status":0}
ERROR:root:Failed to get username, please make sure you can have 'Manage Administrator' in your role
And a screenshot of the current permissions of the read-user. I guess "All API clients" is redundant with "All Elements", but I added it in case of.
I don't know what is this "Manage Administrator" permission, and if there is a way to tell the API client not to require it.
Hello, I have a small problem to add an IP address to an existing tunnel interface.
I am having trouble adding an IP address to an existing tunnel interface on a clusterengine. Specifically, I am trying to add a /32 IP address to a tunnel interface that does not have a 'CVI Only' subinterface. I've tried several methods described in the documentation, but I keep running into JSON format errors. I have been working on this problem for two days now and could use some help.
here is my code
for interface in cluster.tunnel_interface.all():
if interface.name == "Tunnel Interface 1000":
print(interface.addresses)
payload = {
"interfaces': [{'cluster_virtual": "77.77.77.77",
'network_value': "77.77.77.77/32"}]
}
interface.update(**payload)
.api.exceptions.UpdateElementFailed: Invalid JSON format: Could not resolve type id 'cluster_virtual' as a subtype of
com.stonesoft.api.v14.elements.dto.storable.engine.EngineInterfaceDTO: known type ids = [capture_interface, cluster_virtual_interface, inline_interface, inline_ips_interface, inline_l2fw_interface, node_interface, single_node_interface] (for POJO property 'interfaces') at [line: 1, column: 262] (from: ArrayList[0]).
but when I want to change the address of an existing tunnel, I can do it
for interface in cluster.tunnel_interface.all():
if interface.name == "Tunnel Interface 1002":
for intf in interface.sub_interfaces():
if intf.address == "192.168.1.2":
new_payload = {"comment": "tunnel1002",
"address":"192.168.1.1",
"network_value":"192.168.1.1/32"
}
intf.update(**new_payload)
interface.update()
I thank you for your help and hope to get back to you for my problem
Hello,
It's only a details but in the changes to 1.0.20, you forgot to upgrade this file :
fp-NGFW-SMC-python/smc/__version__.py
Line 1 in c48b624
How to reproduce the issue :
fgt in lin-fgt in ~/tmp via (env)
❯ pip install git+https://github.com/Forcepoint/[email protected]
Collecting git+https://github.com/Forcepoint/fp-NGFW-SMC-python.git
Cloning https://github.com/Forcepoint/fp-NGFW-SMC-python.git to /tmp/pip-req-build-b77pvzkj
Collecting requests>=2.12.0 (from fp-NGFW-SMC-python==1.0.19)
Using cached https://files.pythonhosted.org/packages/2d/61/08076519c80041bc0ffa1a8af0cbd3bf3e2b62af10435d269a9d0f40564d/requests-2.27.1-py2.py3-none-any.whl
Collecting pytz>=2021.1 (from fp-NGFW-SMC-python==1.0.19)
Using cached https://files.pythonhosted.org/packages/2e/09/fbd3c46dce130958ee8e0090f910f1fe39e502cc5ba0aadca1e8a2b932e5/pytz-2022.7.1-py2.py3-none-any.whl
Collecting charset-normalizer~=2.0.0; python_version >= "3" (from requests>=2.12.0->fp-NGFW-SMC-python==1.0.19)
Using cached https://files.pythonhosted.org/packages/06/b3/24afc8868eba069a7f03650ac750a778862dc34941a4bebeb58706715726/charset_normalizer-2.0.12-py3-none-any.whl
Collecting idna<4,>=2.5; python_version >= "3" (from requests>=2.12.0->fp-NGFW-SMC-python==1.0.19)
Using cached https://files.pythonhosted.org/packages/fc/34/3030de6f1370931b9dbb4dad48f6ab1015ab1d32447850b9fc94e60097be/idna-3.4-py3-none-any.whl
Collecting urllib3<1.27,>=1.21.1 (from requests>=2.12.0->fp-NGFW-SMC-python==1.0.19)
Using cached https://files.pythonhosted.org/packages/fe/ca/466766e20b767ddb9b951202542310cba37ea5f2d792dae7589f1741af58/urllib3-1.26.14-py2.py3-none-any.whl
Collecting certifi>=2017.4.17 (from requests>=2.12.0->fp-NGFW-SMC-python==1.0.19)
Using cached https://files.pythonhosted.org/packages/71/4c/3db2b8021bd6f2f0ceb0e088d6b2d49147671f25832fb17970e9b583d742/certifi-2022.12.7-py3-none-any.whl
Installing collected packages: charset-normalizer, idna, urllib3, certifi, requests, pytz, fp-NGFW-SMC-python
Running setup.py install for fp-NGFW-SMC-python ... done
Successfully installed certifi-2022.12.7 charset-normalizer-2.0.12 fp-NGFW-SMC-python-1.0.19 idna-3.4 pytz-2022.7.1 requests-2.27.1 urllib3-1.26.14
fgt in lin-fgt in ~/tmp via (env) took 3s
❯ pip show fp-NGFW-SMC-python
Name: fp-NGFW-SMC-python
Version: 1.0.19
Summary: Python based API to Forcepoint NGFW Management Center
Home-page: http://github.com/Forcepoint/fp-NGFW-SMC-python
Author: Forcepoint
Author-email: [email protected]
License: Apache 2.0
Location: /home/fgt/tmp/env/lib/python3.6/site-packages
Requires: requests, pytz
Required-by:
The requirements for the last fp-NGFW-SMC-ansible version is "fp-NGFW-SMC-python >=1.0.20" :
https://github.com/Forcepoint/fp-NGFW-SMC-ansible
Kind regards,
Fgazelot
Hi,
I am using smc-python 0.6.2 with SMC 6.8 with python 3.8.
I am trying to iterate through our rulesets and I am stuck with subpolicies, as I cannot retrieve the rules contained in there.
# iterate through rules
...
# does not work
if action == "jump":
for r in rule.action.sub_policy.ips_ipv4_access_rules.all():
all other ways of fetching the subpolicy rules manually failed.
Am I doing something wrong or is this a bug in smc-python?
Thanks
Hi,
I have encountered the following issue with:
When calling smc_monitoring.monitors.alerts.ActiveAlertQuery("Shared Domain").fetch_as_element()
I will get a generator
over the current active alerts as expected, but the generator will never stop.
Corresponding debug output looks like this:
{'fetch': {},
'format': {'field_format': 'id',
'resolving': {'senders': True},
'type': 'texts'},
'query': {'definition': 'ACTIVE_ALERTS', 'target': 'Shared Domain'}}
Query returned 31 records.
Note the last line that says:"Query returned 31 records" this is equal to the number of alerts I retrieve, but the generator will stuck in an endless loop after running over all alerts. I tried to debug this, but the debugger refuses to jump into the corresponding thread.
Is this an issue with python 3.8.3? I saw, that you only support 3.6..
Hello,
I dont know if i missed something or if it's a library limitation or a SMC API limitation.
But, i don't find a way to change tunnel mode on PolicyVPN from standby to active or reverse...
policy_vpn = get_policy_vpn(policy_vpn_name)
policy_vpn.open()
policy_vpn_tunnels = list(policy_vpn.tunnels)
for t in policy_vpn_tunnels:
l_endpoint_tunnels = t.endpoint_tunnels.get_all_contains(primary_pop,case_sensitive=False)
for endpoint_tunnel in l_endpoint_tunnels:
pprint(endpoint_tunnel.data.data)
Return exemple :
{'enabled': False,
'endpoint_1': 'http://X.X.X.X:8082/6.10/elements/single_fw/5561/internal_gateway/1331/internal_endpoint/1330',
'endpoint_2': 'http://X.X.X.X:8082/6.10/elements/external_gateway/1350/external_endpoint/1642',
'key': 0,
'link': [{'href': 'http://X.X.X.X:8082/6.10/elements/vpn/1/tunnels/MTMzMSMxMzUw/endpoints/MTMzMCMxNjQy',
'rel': 'self',
'type': 'gateway_endpoint_tunnel'}],
'name': 'Gateway EndPoint Tunnel Endpoint 1330-akl1'}
We can't see any key "mode" for this tunnels or make a change on this option.
Information of my environement :
session.api_version = 6.10
pip list | grep SMC
fp-NGFW-SMC-python 1.0.21
Thank you in advance for your help.
Kind regards,
Fgazelot
Hello,
I'm trying to import rules from a cisco ftd into the forcepoint smc.
I want to have in my rule that the IP-Address and Zone field are "AND" combined (like in the picture).
What is the code to create a "AND" combination as the source?
I can't find anything in the descriptions.
I tried this one and others, but I always get errors:
source_as_list=[ [source[0] ,source[3]]]
source_as_list=["AND", {source[0] ,source[3]}]
The creation of a rule works fine with my code, but when I use this code I have all elements separated in the rule:
policy.fw_ipv4_access_rules.create(name=rule_name,sources=source_as_list, destinations=dest,services=services, action=actions,log_options=options, is_disabled=disabled,comment=comment, add_pos=add_after_position)
Thanks in advance
Hi,
I am trying to set the TunnelInterface in 'standy' by calling int.update( ... , balancing_mode='standby')
but i get the error below.
Invalid JSON format: At line 1 and column 839, balancing_mode is not recognized as JSON attribute. <class 'smc.api.exceptions.UpdateElementFailed'>
I mentionned that enabled=True
is working.
Thank you
Hello,
I am able to configure tunnels in Policy-Based VPN with PolicyVPN > tunnels > endpoint_tunnels:
pb_vpn = PolicyVPN("my_pb_vpn")
for tunnel in pb_vpn.tunnels:
for endpoint_tunnel in tunnel.endpoint_tunnels:
print(endpoint_tunnel)
I can't find the same for the Route-Base VPN:
rb_vpn = RouteVPN("my_rb_vpn")
rb_vpn.tunnels
>>> AttributeError: <class 'smc.vpn.route.RouteVPN'> object has no attribute 'tunnels'
Is there a way to access it?
Best regards,
Etienne
Hello,
I try to restrict my API client, but a plain login already needs 'Manage Administrator' from 'Administrative Rights' in 'All'. As soon I try to login I get:
ERROR:root:Failed to get username, please make sure you can have 'Manage Administrator' in your role
ERROR:smc.api.session:Logout status was unexpected. Received response with status code: 401
...
The description for 'Manage Administrator' is: "Allows the administrator to view and manage Administrator, Web Portal User, Administrator Role, API Clients and Access Control List elements".
BR, sam
When dereferencing an Alias object using a firewall engine name, the information returned is a list of addresses which are part of the firewall engine's Alias translation, but there is seemingly no tie in to obtain information regarding what specific elements are being referenced in the Alias. For instance, I am currently working on a deduplication/cleanup script which consolidates multiple elements into one element by moving their references to the master element, then deleting the old elements. Let us use this example scenario.
The following objects exist:
A host element with name "Host1" and address "1.2.3.4"
A host element with name "Host2" and address "1.2.3.4"
An Alias object with name "Alias1"
A firewall engine with name "Engine1"
Engine1's alias translation for Alias1 contains Host2
Let us say we are trying to move all references of Host2 to Host1 in order to delete Host2 and get rid of this duplicated element. Host2 is referenced in Engine1's address translation for Alias1. If we dereference the alias using the following code, all we can identify is that Engine1's translation for Alias1 contains IP address "1.2.3.4".
alias = Alias('Alias1')
alias.resolve('Engine1')
# this would return ['1.2.3.4']
Within the GUI, I can identify which specific element is being referenced in that alias object. I cannot see a way to identify if Host1 or Host2 are being referenced in the Alias via smc-python. My goal is to be able to remove Host2 from this alias and add Host1 to this alias. Is there a better method known to overcome this roadblock, or is this a limitation on the capabilities of the API?
Hi,
I would like to develop some open source tools based on SMC Python for Forcepoint, but I can't find any Forcepoint SMC I can test against. Do you plan to ship such a test VM via vagrant maybe? If not, how can I test my code to make sure it's actually working on Forcepoint SMCs without spending thousands of dollars on a Forcepoint SMC?
Hello,
I get some SessionNotFound while using smc_monitoring although I can use this exact session perfectly fine when I use things from the smc module.
As follows some rudimentary script:
$ cat log.py
#!/usr/bin/env python3.11
from smc_monitoring.wsocket import session
from smc_monitoring.monitors.logs import LogQuery
try:
session.login(alt_filepath='.smcrc')
query = LogQuery()
print(list(query.fetch_batch()))
finally: session.logout()
$ ./log.py
Traceback (most recent call last):
File "/home/user/log.py", line 7, in <module>
print(list(query.fetch_batch()))
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/monitors/logs.py", line 198, in fetch_batch
fmt = formatter(clone)
^^^^^^^^^^^^^^^^
File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/models/formatters.py", line 147, in __init__
super(TableFormat, self).__init__(query)
File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/models/formatters.py", line 86, in __init__
fields = query.resolve_field_ids(field_ids, **query.sockopt)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/models/query.py", line 240, in resolve_field_ids
for fields in query.execute():
File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/models/query.py", line 274, in execute
with SMCSocketProtocol(self, **self.sockopt) as protocol:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/.local/lib/python3.11/site-packages/smc_monitoring/wsocket.py", line 77, in __init__
raise SessionNotFound(
smc_monitoring.wsocket.SessionNotFound: No SMC session found. You must first obtain an SMC session through session.login before making a web socket connection.
I installed the extension via:
$ python3.11 -m pip install fp-NGFW-SMC-python-monitoring
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: fp-NGFW-SMC-python-monitoring in /home/user/.local/lib/python3.11/site-packages (1.4.0)
Requirement already satisfied: fp-NGFW-SMC-python>=1.0.0 in /home/user/.local/lib/python3.11/site-packages (from fp-NGFW-SMC-python-monitoring) (1.0.19)
Requirement already satisfied: websocket-client>=0.48.0 in /home/user/.local/lib/python3.11/site-packages (from fp-NGFW-SMC-python-monitoring) (1.5.1)
Requirement already satisfied: pytz>=2021.1 in /home/user/.local/lib/python3.11/site-packages (from fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (2023.3)
Requirement already satisfied: requests>=2.12.0 in /home/user/.local/lib/python3.11/site-packages (from fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (2.30.0)
Requirement already satisfied: charset-normalizer<4,>=2 in /home/user/.local/lib/python3.11/site-packages (from requests>=2.12.0->fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (3.1.0)
Requirement already satisfied: certifi>=2017.4.17 in /home/user/.local/lib/python3.11/site-packages (from requests>=2.12.0->fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (2023.5.7)
Requirement already satisfied: urllib3<3,>=1.21.1 in /home/user/.local/lib/python3.11/site-packages (from requests>=2.12.0->fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (2.0.2)
Requirement already satisfied: idna<4,>=2.5 in /home/user/.local/lib/python3.11/site-packages (from requests>=2.12.0->fp-NGFW-SMC-python>=1.0.0->fp-NGFW-SMC-python-monitoring) (3.4)
I'm not exactly sure why it isn't visible as installed nonetheless I'm able to use (i.e. import) it:
$ pip3 list | egrep -i 'smc'
fp-NGFW-SMC-python 1.0.19
Thanks in advance,
Sam
Hello,
i am working on a programm that saves all the rules with name, source, destination, service and hits in a csv. When i try the function rule_counter = policy.rule_counters(engine, duration_type="one_week", duration=0) i get the error massage:
Traceback (most recent call last):
File "C:\Users...\Documents\SMC\halbjaehrliche-fw-regelabfrage\Regelset auslesen\Abfrage.py", line 651, in
main()
File "C:\Users...\Documents\SMC\halbjaehrliche-fw-regelabfrage\Regelset auslesen\Abfrage.py", line 463, in main
rule_counter = policy.rule_counters(engine, duration_type="one_week", duration=0)
File "C:\Users...\AppData\Local\Programs\Python\Python39\lib\site-packages\smc\policy\policy.py", line 154, in rule_counters
for rule in self.make_request(method="create", resource="rule_counter", json=json)
File "C:\Users...\AppData\Local\Programs\Python\Python39\lib\site-packages\smc\base\mixins.py", line 32, in make_request
result = getattr(request, method)()
File "C:\Users...\AppData\Local\Programs\Python\Python39\lib\site-packages\smc\api\common.py", line 76, in create
return self._make_request(method="POST")
File "C:\Users...\AppData\Local\Programs\Python\Python39\lib\site-packages\smc\api\common.py", line 110, in _make_request
raise err
smc.api.exceptions.ActionCommandFailed: No valid message returned from SMC server
can you help? We need the hit number to show if a rule is usefull.
Imported library :
from icecream import ic
from smc import session
from smc.core.engines import FirewallCluster
from smc.elements.network import Host, Network
from smc.elements.servers import LogServer
import json
Hello,
I have an error when I try to create a cluster :
I think the "LogServer.objects.first()" object does not contain the ".href" :
Do you know if it is still maintained?
Hi,
Trying to call
ServerBackupTask.create(name='Backup' , servers=[ManagementServer(name='XXXXXXX')]) raise the error below : Invalid JSON format: At line 1 and column 420, server_target_path is not recognized as JSON attribute. <class 'smc.api.exceptions.CreateElementFailed'>
Several attemps on the parameters did not help (adding the path mainly).
Thank you
Hi friends,
does the repo support multiple session instances?, either pointing to the same/different SMC Server URL with different APIKEY - APIversion.
thanks in advance.
Hello,
I try to update an ipv4Rules object with .update() methode. It doesn't work when rule name contains "/"
I get following error message.
I use fp-ngfw-smc-python~=1.0.12 and SMC 6.8.8.
Rule @317776.13": "Invalid JSON format: For input string: \"68719491123\" (from: FWIPv4AccessRuleDTO[\"parent_insert_point\"]).
Hi everyone!
I'm using python 3.8; API version 6.8; Git Hub version 3.1.27
We were adding rules with the API:
options = LogOptions()
options.log_accounting_info_mode = True
options.log_level = 'stored'
p.fw_ipv4_access_rules.create(name='', comment=comment, services=[service], sources=[specific_src_host], destinations=[specific_dest_host], action='allow', log_options=options)
data.append([policy_name, section, src_ip, dest_ip, dest_port, app, app_protocol, comment, 'created the rule'])
p.fw_ipv4_access_rules.create_rule_section(section_name) # creating a specific section in the policy
#----------------------------------------------------------------------------
How can I change the settings of the rule-logs, such that a log wouldn't be created for connection closing:
(want the Connection Closing value to be set to "No Log").
Hello,
I was trying to create a service but I get the "protocol_agent_ref is not recognized as JSON attribute"
TCPService.create('tcpservice', 5000, comment='my service')
but I get the following error:
File "c:/Users/aaa/Desktop/python/test.py", line 82, in <module>
service = UDPService.create('tcpservice', 5000, comment='my service')
File "C:\Users\aaa\AppData\Local\Programs\Python\Python36\lib\site-packages\smc\elements\service.py", line 138, in create
return ElementCreator(cls, json)
File "C:\Users\aaa\AppData\Local\Programs\Python\Python36\lib\site-packages\smc\base\decorators.py", line 113, in run
return function(cls, json, **kwargs)
File "C:\Users\aaa\AppData\Local\Programs\Python\Python36\lib\site-packages\smc\base\model.py", line 126, in
ElementCreator
result = SMCRequest(href=href, json=json, **kwargs).create()
File "C:\Users\aaa\AppData\Local\Programs\Python\Python36\lib\site-packages\smc\api\common.py", line 76, in create
return self._make_request(method="POST")
File "C:\Users\aaa\AppData\Local\Programs\Python\Python36\lib\site-packages\smc\api\common.py", line 110, in _make_request
raise err
smc.api.exceptions.CreateElementFailed: Invalid JSON format: At line 1 and column 136, protocol_agent_ref is not recognized as JSON attribute.
I cannot find anywhere the possibility to create a new user in the InternalDomain with the parameter "password".
The only parameters accepted by the create function in the create() function of the smc.administration.user_auth.users InternalUserDomain are: name, user_group, activation_date, expiration_date and comment.
Is there a way to add the password? Maybe adding this possibility if only using the secure channel communication (websocket)?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.