smc.api.session
Session
smc.base.model.ElementBase
smc.base.model.Element
- objects(self):
Interface to element collections. All classes inheriting from Element can access collections through this class property:
for host in Host.objects.all(): ...
Fetch a single entry:
host = Host.objects.filter('myhost') ...
For more information on collections, see: :py
smc.base.collection.CollectionManager
smc.base.model.SubElement
smc.base.model.UserElement
smc.core.resource.History
Access Rights provide the ability to create administrative accounts and assign or create specific access control lists and roles to these accounts.
smc.administration.access_rights.AccessControlList
smc.elements.user
smc.administration.access_rights.Permission
smc.administration.role
smc.administration.certificates.tls_common
smc.administration.certificates.tls
TLSServerCredential
TLSProfile
TLSIdentity
TLSCryptographySuite
ClientProtectionCA
smc.administration.system.AdminDomain
smc.administration.license
smc.administration.scheduled_tasks
smc.administration.reports
smc.administration.system
smc.administration.tasks
smc.administration.updates
EngineUpgrade
UpdatePackage
Elements used for various configuration areas within SMC. Element types are made up of network, service groups and other.
smc.elements.network
Alias
AddressRange
DomainName
Expression
Host
IPList
Network
Router
URLListApplication
Zone
smc.elements.netlink
smc.elements.service
EthernetService
ICMPService
ICMPIPv6Service
IPService
TCPService
UDPService
URLCategory
smc.elements.protocols
smc.elements.group
ICMPServiceGroup
IPServiceGroup
Group
ServiceGroup
TCPServiceGroup
UDPServiceGroup
URLCategoryGroup
smc.elements.servers
LogServer
ManagementServer
DNSServer
HttpProxy
ProxyServer
smc.elements.other
Blacklist
Category
CategoryTag
FilterExpression
Location
LogicalInterface
MacAddress
HTTPSInspectionExceptions
smc.elements.situations
Profiles are generic container settings that are used in other areas of the SMC configuration. Each profile should document it's usage and how it is referenced.
smc.elements.profiles
SNMPAgent
smc.core.engine
smc.core.addon
smc.core.addon.AntiVirus
smc.core.addon.FileReputation
smc.core.addon.SidewinderProxy
smc.core.addon.UrlFiltering
smc.core.addon.Sandbox
smc.core.addon.TLSInspection
Represents classes responsible for configuring dynamic routing protocols
For more information on creating OSPF elements and enabling on a layer 3 engine:
:pysmc.routing.ospf
For more information on creating BGP elements and enabling on a layer 3 engine:
:pysmc.routing.bgp
smc.core.general.DefaultNAT
smc.core.general.RankedDNSAddress
smc.core.general.DNSEntry
smc.core.general.DNSRelay
smc.core.general.SNMP
smc.core.general.Layer2Settings
Provisioning a firewall for VPN consists of the following steps:
- Enable VPN an interface (InternalEndpoint)
- Optionally add VPN sites with protected networks
Note
By default Stonesoft FW's provide a capability that allows the protected VPN networks to be identified based on the routing table.
It is still possible to override this setting and add your own custom VPN sites as needed.
Once the firewall has VPN enabled, you must also assign the FW to a specified Policy VPN as a central or satellite gateway.
The entry point for enabling the VPN on an engine is under the engine resource smc.core.engine.Engine.vpn
.
Enabling IPSEC on an interface is done by accessing the engine resource and finding the correct InternalEndpoint for which to enable the VPN. Internal Endpoints are not exactly interface maps, instead they identify all addresses on a given firewall capable for running VPN. It is possible for a single interface to have more than one internal endpoint if the interface has multiple IP addresses assigned.
>>> from smc.core.engine import Engine
>>> engine = Engine('myfirewall')
>>> for ie in engine.vpn.internal_endpoint:
... ie
...
InternalEndpoint(name=6.6.6.6)
InternalEndpoint(name=10.10.0.1)
InternalEndpoint(name=11.11.11.11)
InternalEndpoint(name=4.4.4.4)
InternalEndpoint(name=10.10.10.1)
Notice that internal endpoints are referenced by their IP address and not their interface. The interface is available as an attribute on the endpoint to make it easier to find the correct interface:
>>> for ie in engine.vpn.internal_endpoint:
... print(ie, ie.interface_id)
...
(InternalEndpoint(name=6.6.6.6), u'6')
(InternalEndpoint(name=10.10.0.1), u'0')
(InternalEndpoint(name=11.11.11.11), u'11')
(InternalEndpoint(name=4.4.4.4), u'2.200')
(InternalEndpoint(name=10.10.10.1), u'1')
If I want to enable VPN on interface 0, you can obtain the right endpoint and enable:
>>> for ie in engine.vpn.internal_endpoint:
... if ie.interface_id == '0':
... ie.ipsec_vpn = True
Note
Once you've enabled the interface for VPN, you must also call engine.update() to commit the change.
The second step (optional) is to add VPN sites to the firewall. VPN Sites define a group of protected networks that can be applied to the VPN.
For example, add a new VPN site called wireless with a new network element that we'll create beforehand.
>>> net = Network.get_or_create(name='wireless', ipv4_network='192.168.5.0/24')
>>> engine.vpn.add_site(name='wireless', site_elements=[net])
VPNSite(name=wireless)
>>> list(engine.vpn.sites)
[VPNSite(name=dingo - Primary Site), VPNSite(name=wireless)]
Once the engine is enabled for VPN, see smc.vpn.policy.PolicyVPN
for information on how to create a PolicyVPN and add engines.
smc.core.engine.InternalEndpoint
smc.core.engine.InternalGateway
Represents classes responsible for configuring interfaces on engines
smc.core.collection
smc.core.interfaces
InterfaceOptions
QoS
smc.core.sub_interfaces.LoopbackInterface
smc.core.sub_interfaces.LoopbackClusterInterface
PhysicalInterface
Layer3PhysicalInterface
Layer3PhysicalInterface
ClusterPhysicalInterface
VirtualPhysicalInterface
TunnelInterface
smc.core.sub_interfaces
smc.core.contact_address
smc.core.node
smc.core.node.ApplianceInfo
smc.core.node.ApplianceStatus
smc.core.node.HardwareStatus
smc.core.node.Status
smc.core.node.InterfaceStatus
smc.core.node.Debug
smc.core.resource
smc.core.route
Routing
Antispoofing
Route
PolicyRoute
smc.core.resource.Snapshot
smc.core.engine.VirtualResource
smc.core.engines
IPS
Layer3Firewall
Layer2Firewall
Layer3VirtualEngine
FirewallCluster
MasterEngine
MasterEngineCluster
smc.routing.route_map
smc.routing.route_map.Metric
smc.routing.route_map.Condition
smc.routing.access_list
smc.routing.access_list.AccessListEntry
smc.routing.prefix_list
smc.routing.prefix_list.PrefixListEntry
smc.routing.bgp
AutonomousSystem
ExternalBGPPeer
BGPPeering
BGPProfile
BGPConnectionProfile
smc.routing.bgp_access_list.ASPathAccessList
smc.routing.bgp_access_list.ASPathListEntry
smc.routing.bgp_access_list.CommunityAccessList
smc.routing.bgp_access_list.CommunityListEntry
smc.routing.bgp_access_list.ExtendedCommunityAccessList
smc.routing.bgp_access_list.ExtCommunityListEntry
smc.routing.ospf
OSPFArea
OSPFKeyChain
OSPFProfile
OSPFDomainSetting
OSPFInterfaceSetting
smc.policy.policy
smc.policy.interface
smc.policy.file_filtering
smc.policy.layer3
smc.policy.policy.InspectionPolicy
smc.policy.ips
smc.policy.layer2
smc.policy.qos
Sub Policies are referenced from within a normal policy as a parameter to a 'jump' action. They provide rule encapsulation for similar rules and can be delegated to an Admin User for more granular policy control.
smc.policy.layer3.FirewallSubPolicy
Represents classes responsible for configuring rule types.
smc.policy.rule.Rule
smc.policy.rule.IPv4Rule
smc.policy.rule.IPv4Layer2Rule
smc.policy.rule.EthernetRule
smc.policy.rule.IPv6Rule
smc.policy.rule_nat.NATRule
smc.policy.rule_nat.IPv4NATRule
smc.policy.rule_nat.IPv6NATRule
smc.policy.rule_elements
smc.policy.rule_elements.RuleElement
Source
Destination
Service
Action
ConnectionTracking
LogOptions
AuthenticationOptions
MatchExpression
smc.policy.rule_nat
DynamicSourceNAT
StaticSourceNAT
DynamicSourceNAT
Represents classes responsible for configuring VPN settings such as PolicyVPN, RouteVPN and all associated configurations.
Note
See API reference documentation on the Engine for instructions on how to enable the engine for VPN.
smc.vpn.policy.PolicyVPN
smc.vpn.route
smc.vpn.elements
ExternalGateway
ExternalEndpoint
smc.vpn.elements.VPNSite
Other elements associated with VPN configurations
smc.vpn.elements.GatewaySettings
smc.vpn.policy.GatewayNode
smc.vpn.elements.GatewayProfile
smc.vpn.policy.GatewayTreeNode
smc.vpn.policy.GatewayTunnel
smc.base.collection
ElementCollection
CollectionManager
SubElementCollection
CreateCollection
rule_collection
Search
smc.base.structs
BaseIterable
SerializedIterable
smc.api.common
Operations being performed that involve REST calls to SMC will return an SMCResult object. This object will hold attributes that are useful to determine if the operation was successful and if not, the reason. An SMCResult is handled automatically and uses exceptions to provide statuses between modules and user interaction. The simplest way to get access to an SMCResult directly is to make an SMCRequest using smc.base.model.prepared_request
and observe the attributes in the return message. All response data is serialized into the SMCResult.json attribute when it is received by the SMC.
smc.api.web
Example of using SMCRequest to fetch an element by href, returning an SMCResult:
>>> vars(SMCRequest(href='http://1.1.1.1:8082/6.2/elements/host/978').read()) {'code': 200, 'content': None, 'json': {u'comment': u'this is a searchable comment', u'read_only': False, u'ipv6_address': u'2001:db8:85a3::8a2e:370:7334', u'name': u'kali', u'third_party_monitoring': {u'netflow': False, u'snmp_trap': False}, u'system': False, u'link': [{u'href': u'http://1.1.1.1:8082/6.2/elements/host/978', u'type': u'host', u'rel': u'self'}, {u'href': u'http://1.1.1.1:8082/6.2/elements/host/978/export', u'rel': u'export'}, {u'href': u'http://1.1.1.1:8082/6.2/elements/host/978/search_category_tags_from_element', u'rel': u'search_category_tags_from_element'}], u'key': 978, u'address': u'1.1.11.1', u'secondary': [u'7.7.7.7']}, 'href': None, 'etag': '"OTc4MzExMzkxNDk2MzI1MTMyMDI4"', 'msg': None}
smc.core.waiters
Exceptions thrown throughout smc-python. Be sure to check functions or class methods that have raises documentation. All exception classes subclass SMCException
smc.api.exceptions