API Reference

Session

smc.api.session

Session

Element

smc.base.model.ElementBase

smc.base.model.Element

objects(self):

Interface to element collections. All classes inheriting from Element can access collections through this class property:

for host in Host.objects.all():
    ...

Fetch a single entry:

host = Host.objects.filter('myhost')
...

For more information on collections, see: :pysmc.base.collection.CollectionManager

smc.base.model.SubElement

smc.base.model.UserElement

smc.core.resource.History

Administration

Access Rights

Access Rights provide the ability to create administrative accounts and assign or create specific access control lists and roles to these accounts.

AccessControlList

smc.administration.access_rights.AccessControlList

Administrators

smc.elements.user

Permission

smc.administration.access_rights.Permission

Roles

smc.administration.role

Certificates

TLSCommon

smc.administration.certificates.tls_common

TLSServerCredential

smc.administration.certificates.tls

TLSServerCredential

TLSProfile

TLSIdentity

TLSCryptographySuite

ClientProtectionCA

Domains

smc.administration.system.AdminDomain

License

smc.administration.license

Scheduled Tasks

smc.administration.scheduled_tasks

Reports

smc.administration.reports

System

smc.administration.system

Tasks

smc.administration.tasks

Updates

smc.administration.updates

Engine Upgrade

EngineUpgrade

Dynamic Update

UpdatePackage

Elements

Elements used for various configuration areas within SMC. Element types are made up of network, service groups and other.

Network

smc.elements.network

Alias

AddressRange

DomainName

Expression

Host

IPList

Network

Router

URLListApplication

Zone

Traffic Handlers (Netlinks)

smc.elements.netlink

Services

smc.elements.service

EthernetService

ICMPService

ICMPIPv6Service

IPService

TCPService

UDPService

URLCategory

With Protocol

smc.elements.protocols

Groups

smc.elements.group

ICMPServiceGroup

IPServiceGroup

Group

ServiceGroup

TCPServiceGroup

UDPServiceGroup

URLCategoryGroup

Servers

smc.elements.servers

LogServer

ManagementServer

DNSServer

HttpProxy

ProxyServer

Other

smc.elements.other

Blacklist

CategoryTag

FilterExpression

Location

LogicalInterface

MacAddress

HTTPSInspectionExceptions

Situations

smc.elements.situations

Profiles

Profiles are generic container settings that are used in other areas of the SMC configuration. Each profile should document it's usage and how it is referenced.

DNSRelayProfile

smc.elements.profiles

SNMPAgent

SNMPAgent

Engine

smc.core.engine

AddOn

smc.core.addon

AntiVirus

smc.core.addon.AntiVirus

FileReputation

smc.core.addon.FileReputation

SidewinderProxy

smc.core.addon.SidewinderProxy

UrlFiltering

smc.core.addon.UrlFiltering

Sandbox

smc.core.addon.Sandbox

TLSInspection

smc.core.addon.TLSInspection

Dynamic Routing

Represents classes responsible for configuring dynamic routing protocols

OSPF

For more information on creating OSPF elements and enabling on a layer 3 engine:

:pysmc.routing.ospf

BGP

For more information on creating BGP elements and enabling on a layer 3 engine:

:pysmc.routing.bgp

General

DefaultNAT

smc.core.general.DefaultNAT

RankedDNSAddress

smc.core.general.RankedDNSAddress

smc.core.general.DNSEntry

DNS Relay

smc.core.general.DNSRelay

SNMP

smc.core.general.SNMP

Layer2Settings

smc.core.general.Layer2Settings

VPN

Provisioning a firewall for VPN consists of the following steps:

Enable VPN an interface (InternalEndpoint)
Optionally add VPN sites with protected networks

Note

By default Stonesoft FW's provide a capability that allows the protected VPN networks to be identified based on the routing table.

It is still possible to override this setting and add your own custom VPN sites as needed.

Once the firewall has VPN enabled, you must also assign the FW to a specified Policy VPN as a central or satellite gateway.

The entry point for enabling the VPN on an engine is under the engine resource smc.core.engine.Engine.vpn.

Enabling IPSEC on an interface is done by accessing the engine resource and finding the correct InternalEndpoint for which to enable the VPN. Internal Endpoints are not exactly interface maps, instead they identify all addresses on a given firewall capable for running VPN. It is possible for a single interface to have more than one internal endpoint if the interface has multiple IP addresses assigned.

>>> from smc.core.engine import Engine
>>> engine = Engine('myfirewall')
>>> for ie in engine.vpn.internal_endpoint:
...   ie
... 
InternalEndpoint(name=6.6.6.6)
InternalEndpoint(name=10.10.0.1)
InternalEndpoint(name=11.11.11.11)
InternalEndpoint(name=4.4.4.4)
InternalEndpoint(name=10.10.10.1)

Notice that internal endpoints are referenced by their IP address and not their interface. The interface is available as an attribute on the endpoint to make it easier to find the correct interface:

>>> for ie in engine.vpn.internal_endpoint:
...   print(ie, ie.interface_id)
... 
(InternalEndpoint(name=6.6.6.6), u'6')
(InternalEndpoint(name=10.10.0.1), u'0')
(InternalEndpoint(name=11.11.11.11), u'11')
(InternalEndpoint(name=4.4.4.4), u'2.200')
(InternalEndpoint(name=10.10.10.1), u'1')

If I want to enable VPN on interface 0, you can obtain the right endpoint and enable:

>>> for ie in engine.vpn.internal_endpoint:
...   if ie.interface_id == '0':
...     ie.ipsec_vpn = True

Note

Once you've enabled the interface for VPN, you must also call engine.update() to commit the change.

The second step (optional) is to add VPN sites to the firewall. VPN Sites define a group of protected networks that can be applied to the VPN.

For example, add a new VPN site called wireless with a new network element that we'll create beforehand.

>>> net = Network.get_or_create(name='wireless', ipv4_network='192.168.5.0/24') 
>>> engine.vpn.add_site(name='wireless', site_elements=[net]) 
VPNSite(name=wireless) 
>>> list(engine.vpn.sites) 
[VPNSite(name=dingo - Primary Site), VPNSite(name=wireless)]

Once the engine is enabled for VPN, see smc.vpn.policy.PolicyVPN for information on how to create a PolicyVPN and add engines.

InternalEndpoint

smc.core.engine.InternalEndpoint

InternalGateway

smc.core.engine.InternalGateway

Interfaces

Represents classes responsible for configuring interfaces on engines

InterfaceCollections

smc.core.collection

smc.core.interfaces

InterfaceOptions

QoS

LoopbackInterface

smc.core.sub_interfaces.LoopbackInterface

LoopbackClusterInterface

smc.core.sub_interfaces.LoopbackClusterInterface

PhysicalInterface

Layer3PhysicalInterface

Layer2PhysicalInterface

Layer3PhysicalInterface

ClusterPhysicalInterface

VirtualPhysicalInterface

TunnelInterface

Sub-Interfaces

smc.core.sub_interfaces

InterfaceContactAddress

smc.core.contact_address

Node

smc.core.node

Appliance Info

smc.core.node.ApplianceInfo

Appliance Status

smc.core.node.ApplianceStatus

Hardware Status

smc.core.node.HardwareStatus

smc.core.node.Status

Interface Status

smc.core.node.InterfaceStatus

Debug

smc.core.node.Debug

Pending Changes

smc.core.resource

Routing

smc.core.route

Routing

Antispoofing

Route Table

Route

Policy Routing

PolicyRoute

Snapshot

smc.core.resource.Snapshot

VirtualResource

smc.core.engine.VirtualResource

Engine Types

smc.core.engines

IPS

Layer3Firewall

Layer2Firewall

Layer3VirtualEngine

FirewallCluster

MasterEngine

MasterEngineCluster

Dynamic Routing Elements

RouteMap

smc.routing.route_map

smc.routing.route_map.Metric

smc.routing.route_map.Condition

IPAccessList

smc.routing.access_list

smc.routing.access_list.AccessListEntry

IPPrefixList

smc.routing.prefix_list

smc.routing.prefix_list.PrefixListEntry

BGP Elements

smc.routing.bgp

AutonomousSystem

ExternalBGPPeer

BGPPeering

BGPProfile

BGPConnectionProfile

ASPathAccessList

smc.routing.bgp_access_list.ASPathAccessList

smc.routing.bgp_access_list.ASPathListEntry

CommunityAccessList

smc.routing.bgp_access_list.CommunityAccessList

smc.routing.bgp_access_list.CommunityListEntry

ExtendedCommunityAccessList

smc.routing.bgp_access_list.ExtendedCommunityAccessList

smc.routing.bgp_access_list.ExtCommunityListEntry

OSPF Elements

smc.routing.ospf

OSPFArea

OSPFKeyChain

OSPFProfile

OSPFDomainSetting

OSPFInterfaceSetting

Policies

smc.policy.policy

InterfacePolicy

smc.policy.interface

FileFilteringPolicy

smc.policy.file_filtering

FirewallPolicy

smc.policy.layer3

InspectionPolicy

smc.policy.policy.InspectionPolicy

IPSPolicy

smc.policy.ips

Layer2Policy

smc.policy.layer2

QoSPolicy

smc.policy.qos

Sub Policies

Sub Policies are referenced from within a normal policy as a parameter to a 'jump' action. They provide rule encapsulation for similar rules and can be delegated to an Admin User for more granular policy control.

FirewallSubPolicy

smc.policy.layer3.FirewallSubPolicy

Rules

Represents classes responsible for configuring rule types.

Rule

smc.policy.rule.Rule

IPv4Rule

smc.policy.rule.IPv4Rule

IPv4Layer2Rule

smc.policy.rule.IPv4Layer2Rule

EthernetRule

smc.policy.rule.EthernetRule

IPv6Rule

smc.policy.rule.IPv6Rule

NATRule

smc.policy.rule_nat.NATRule

IPv4NATRule

smc.policy.rule_nat.IPv4NATRule

IPv6NATRule

smc.policy.rule_nat.IPv6NATRule

RuleElements

smc.policy.rule_elements

smc.policy.rule_elements.RuleElement

Source

Destination

Service

Action

ConnectionTracking

LogOptions

AuthenticationOptions

MatchExpression

NATElements

smc.policy.rule_nat

DynamicSourceNAT

StaticSourceNAT

DynamicSourceNAT

VPN

Represents classes responsible for configuring VPN settings such as PolicyVPN, RouteVPN and all associated configurations.

Note

See API reference documentation on the Engine for instructions on how to enable the engine for VPN.

PolicyVPN

smc.vpn.policy.PolicyVPN

RouteVPN

smc.vpn.route

Gateways

ExternalGateway

smc.vpn.elements

ExternalGateway

ExternalEndpoint

VPNSite

smc.vpn.elements.VPNSite

Other Elements

Other elements associated with VPN configurations

GatewaySettings

smc.vpn.elements.GatewaySettings

GatewayNode

smc.vpn.policy.GatewayNode

GatewayProfile

smc.vpn.elements.GatewayProfile

GatewayTreeNode

smc.vpn.policy.GatewayTreeNode

GatewayTunnel

smc.vpn.policy.GatewayTunnel

Collections Reference

smc.base.collection

ElementCollection

CollectionManager

SubElementCollection

CreateCollection

RuleCollection

rule_collection

Search

BaseIterable

smc.base.structs

BaseIterable

SerializedIterable

Advanced Usage

SMCRequest

smc.api.common

SMCResult

Operations being performed that involve REST calls to SMC will return an SMCResult object. This object will hold attributes that are useful to determine if the operation was successful and if not, the reason. An SMCResult is handled automatically and uses exceptions to provide statuses between modules and user interaction. The simplest way to get access to an SMCResult directly is to make an SMCRequest using smc.base.model.prepared_request and observe the attributes in the return message. All response data is serialized into the SMCResult.json attribute when it is received by the SMC.

smc.api.web

Example of using SMCRequest to fetch an element by href, returning an SMCResult:

>>> vars(SMCRequest(href='http://1.1.1.1:8082/6.2/elements/host/978').read()) {'code': 200, 'content': None, 'json': {u'comment': u'this is a searchable comment', u'read_only': False, u'ipv6_address': u'2001:db8:85a3::8a2e:370:7334', u'name': u'kali', u'third_party_monitoring': {u'netflow': False, u'snmp_trap': False}, u'system': False, u'link': [{u'href': u'http://1.1.1.1:8082/6.2/elements/host/978', u'type': u'host', u'rel': u'self'}, {u'href': u'http://1.1.1.1:8082/6.2/elements/host/978/export', u'rel': u'export'}, {u'href': u'http://1.1.1.1:8082/6.2/elements/host/978/search_category_tags_from_element', u'rel': u'search_category_tags_from_element'}], u'key': 978, u'address': u'1.1.11.1', u'secondary': [u'7.7.7.7']}, 'href': None, 'etag': '"OTc4MzExMzkxNDk2MzI1MTMyMDI4"', 'msg': None}

Waiters

smc.core.waiters

Exceptions

Exceptions thrown throughout smc-python. Be sure to check functions or class methods that have raises documentation. All exception classes subclass SMCException

smc.api.exceptions

Files

reference.rst

Latest commit

History

reference.rst

File metadata and controls

API Reference

Session

Element

Administration

Access Rights

AccessControlList

Administrators

Permission

Roles

Certificates

TLSCommon

TLSServerCredential

TLSProfile

TLSIdentity

TLSCryptographySuite

ClientProtectionCA

Domains

License

Scheduled Tasks

Reports

System

Tasks

Updates

Engine Upgrade

Dynamic Update

Elements

Network

Alias

AddressRange

DomainName

Expression

Host

IPList

Network

Router

URLListApplication

Zone

Traffic Handlers (Netlinks)

Services

EthernetService

ICMPService

ICMPIPv6Service

IPService

TCPService

UDPService

URLCategory

With Protocol

Groups

ICMPServiceGroup

IPServiceGroup

Group

ServiceGroup

TCPServiceGroup

UDPServiceGroup

URLCategoryGroup

Servers

LogServer

ManagementServer

DNSServer

HttpProxy

ProxyServer

Other

Blacklist

Category

CategoryTag

FilterExpression

Location

LogicalInterface

MacAddress

HTTPSInspectionExceptions

Situations

Profiles

DNSRelayProfile

SNMPAgent