diff --git a/documentation/revision-history-main.md b/documentation/revision-history-main.md index ac99967b7..004940477 100644 --- a/documentation/revision-history-main.md +++ b/documentation/revision-history-main.md @@ -391,3 +391,7 @@ Maintenance release - owner-filtering for new report type - new setting for email recipients - owner-import custom script improvements# + +# 8.3.1 - 14.08.24 MAIN +Hotfix: +- in CheckPoint importer: fix missing group members diff --git a/roles/importer/files/importer/checkpointFullR8x/cp_enrich.py b/roles/importer/files/importer/checkpointFullR8x/cp_enrich.py index 85442d477..485e30443 100644 --- a/roles/importer/files/importer/checkpointFullR8x/cp_enrich.py +++ b/roles/importer/files/importer/checkpointFullR8x/cp_enrich.py @@ -122,7 +122,15 @@ def enrich_config (config, mgm_details, limit=150, details_level=cp_const.detail 'uid': obj['uid'], 'name': obj['name'], 'color': obj['color'], 'comments': obj['comments'], 'type': 'network', 'ipv4-address': '0.0.0.0/0', } ] } ] } - ) + config['object_tables'].append(json_obj) + + elif (obj['type'] in ['Internet', 'security-zone']): + json_obj = {"object_type": "hosts", "object_chunks": [ { + "objects": [ { + 'uid': obj['uid'], 'name': obj['name'], 'color': obj['color'], + 'comments': obj['comments'], 'type': 'network', 'ipv4-address': '0.0.0.0/0', + } ] } ] } + config['object_tables'].append(json_obj) elif (obj['type'] == 'access-role'): pass # ignorning user objects else: diff --git a/roles/importer/files/importer/checkpointR8x/cp_const.py b/roles/importer/files/importer/checkpointR8x/cp_const.py index 013be4012..6f121d02d 100644 --- a/roles/importer/files/importer/checkpointR8x/cp_const.py +++ b/roles/importer/files/importer/checkpointR8x/cp_const.py @@ -1,8 +1,10 @@ -details_level = "standard" # 'standard' +details_level = "standard" +details_level_objects = "standard" +details_level_group_objects = "full" use_object_dictionary = True with_hits = True -# the following is the static across all installations unique any obj uid +# the following is the static across all installations unique any obj uid # cannot fetch the Any object via API (<=1.7) at the moment # therefore we have a workaround adding the object manually (as svc and nw) any_obj_uid = "97aeb369-9aea-11d5-bd16-0090272ccb30" @@ -11,16 +13,15 @@ original_obj_uid = "85c0f50f-6d8a-4528-88ab-5fb11d8fe16c" # used for nat only (both svc and nw obj) - nw_obj_table_names = [ - 'hosts', 'networks', 'groups', 'address-ranges', 'multicast-address-ranges', 'groups-with-exclusion', - 'gateways-and-servers', 'simple-gateways', + 'hosts', 'networks', 'groups', 'address-ranges', 'multicast-address-ranges', 'groups-with-exclusion', + 'gateways-and-servers', 'simple-gateways', 'dns-domains', 'updatable-objects-repository-content', 'interoperable-devices', 'security-zones', 'Global', 'access-roles', 'updatable-objects' ] # simple as in: no groups -simple_svc_obj_types = ['services-tcp', 'services-udp', 'services-dce-rpc', 'services-rpc', 'services-other', +simple_svc_obj_types = ['services-tcp', 'services-udp', 'services-dce-rpc', 'services-rpc', 'services-other', 'services-icmp', 'services-icmp6', 'services-sctp', 'services-gtp', 'Global'] group_svc_obj_types = ['service-groups', 'application-site-categories', 'application-sites'] @@ -31,8 +32,10 @@ api_obj_types = nw_obj_table_names + svc_obj_table_names + simple_user_obj_types # all obj table names to look at during import +obj_types_full_fetch_needed = ['groups', 'groups-with-exclusion', 'updatable-objects'] + group_svc_obj_types + cp_specific_object_types = [ # used for fetching enrichment data via "get object" separately (no specific API call) 'simple-gateway', 'simple-cluster', 'CpmiVsClusterNetobj', 'CpmiVsxClusterNetobj', 'CpmiVsxClusterMember', 'CpmiVsNetobj', - 'CpmiAnyObject', 'CpmiVsxNetobj', 'CpmiClusterMember', 'CpmiGatewayPlain', 'CpmiHostCkp', 'CpmiGatewayCluster', 'checkpoint-host', + 'CpmiAnyObject', 'CpmiVsxNetobj', 'CpmiClusterMember', 'CpmiGatewayPlain', 'CpmiHostCkp', 'CpmiGatewayCluster', 'checkpoint-host', 'cluster-member', 'CpmiVoipSipDomain' ] diff --git a/roles/importer/files/importer/checkpointR8x/cp_network.py b/roles/importer/files/importer/checkpointR8x/cp_network.py index b64a5d64e..77e97b146 100644 --- a/roles/importer/files/importer/checkpointR8x/cp_network.py +++ b/roles/importer/files/importer/checkpointR8x/cp_network.py @@ -83,6 +83,18 @@ def collect_nw_objects(object_table, nw_objects, debug_level=0, mgm_id=0): # TODO: handle exclusion groups, access-roles correctly if obj_type in ['updatable-object', 'access-role', 'group-with-exclusion', 'security-zone', 'dns-domain']: obj_type = 'group' + + if obj_type == 'group-with-exclusion': + first_ip = None + last_ip = None + obj_type = 'group' + # TODO: handle exclusion groups correctly + + if obj_type == 'security-zone': + first_ip = '0.0.0.0/32' + last_ip = '255.255.255.255/32' + obj_type = 'network' + if obj_type == 'group': first_ip = None last_ip = None diff --git a/roles/importer/files/importer/checkpointR8x/fwcommon.py b/roles/importer/files/importer/checkpointR8x/fwcommon.py index ff6c4981b..2ed1da782 100644 --- a/roles/importer/files/importer/checkpointR8x/fwcommon.py +++ b/roles/importer/files/importer/checkpointR8x/fwcommon.py @@ -183,6 +183,10 @@ def get_objects(config_json, mgm_details, v_url, sid, force=False, config_filena anyObj = cp_getter.getObjectDetailsFromApi(cp_const.any_obj_uid, sid=sid, apiurl=v_url)['object_chunks'][0] for obj_type in cp_const.api_obj_types: + if obj_type in cp_const.obj_types_full_fetch_needed: + show_params_objs.update({'details-level': cp_const.details_level_group_objects}) + else: + show_params_objs.update({'details-level': cp_const.details_level_objects}) object_table = { "object_type": obj_type, "object_chunks": [] } current=0 total=current+1