Merge pull request CactuseSecurity#2869 from alf-cactus/develop

extend fortinet importer

Author: tpurschke

roles/importer/files/importer/fortiadom5ff/fmgr_gw_networking.py

@@ -62,12 +62,12 @@ def normalize_network_data(native_config, normalized_config, mgm_details):
         normalized_config['routing'].sort(key=getRouteDestination,reverse=True)
 
         for interface in native_config['interfaces_per_device/' + full_vdom_name]:
-            if interface['ipv6']['ip6-address']!='::/0':
+            if 'ipv6' in interface and 'ip6-address' in interface['ipv6'] and interface['ipv6']['ip6-address']!='::/0':
                 ipv6, netmask_bits = interface['ipv6']['ip6-address'].split('/')
                 normIfV6 = Interface(dev_id, interface['name'], IPAddress(ipv6), netmask_bits, ip_version=6)
                 normalized_config['interfaces'].append(normIfV6)
 
-            if interface['ip']!=['0.0.0.0','0.0.0.0']:
+            if 'ip' in interface and interface['ip']!=['0.0.0.0','0.0.0.0']:
                 ipv4 = IPAddress(interface['ip'][0])
                 netmask_bits = IPAddress(interface['ip'][1]).netmask_bits()
                 normIfV4 = Interface(dev_id, interface['name'], ipv4, netmask_bits, ip_version=4)

roles/importer/files/importer/fortiadom5ff/fmgr_network.py

@@ -103,6 +103,22 @@ def normalize_nwobjects(full_config, config2import, import_id, nw_obj_types, jwt
             obj.update({'control_id': import_id})
             nw_objects.append(obj)
 
+    # dynamic objects have different return structure
+    if 'response' in full_config['nw_obj_global_firewall/internet-service-basic'][0] and 'results' in full_config['nw_obj_global_firewall/internet-service-basic'][0]['response']:
+        for obj_orig in full_config['nw_obj_global_firewall/internet-service-basic'][0]['response']['results']:
+            if 'name' in obj_orig and 'q_origin_key' in obj_orig:
+                obj = {
+                    'obj_name': obj_orig['name'],
+                    'obj_typ': 'network',
+                    'obj_ip': '0.0.0.0/0',
+                    'obj_uid': 'q_origin_key_' + str(obj_orig['q_origin_key']),
+                    'control_id': import_id,
+                    'obj_zone': 'global'
+                    }
+                nw_objects.append(obj)
+    else:
+        logger.warning("internet service objects return format broken")
+
     # finally add "Original" network object for natting
     original_obj_name = 'Original'
     original_obj_uid = 'Original'
@@ -189,7 +205,11 @@ def get_first_ip_of_destination(obj_ref, config2import):
 
     for obj in config2import['network_objects']:
         if 'obj_uid' in obj and obj['obj_uid']==obj_ref:
-            return obj['obj_ip']
+            if 'obj_type' in obj and obj['obj_type']=='group':
+                if 'obj_member_refs' in obj and list_delimiter in obj['obj_member_refs']:
+                    return get_first_ip_of_destination(obj['obj_member_refs'].split(list_delimiter)[0], config2import)
+            elif 'obj_ip' in obj:
+                return obj['obj_ip']
     logger.warning('src nat behind interface: found no IP info for destination object ' + obj_ref)
     return None
 
@@ -210,13 +230,14 @@ def resolve_raw_objects (obj_name_string_list, delimiter, obj_dict, name_key, ui
         if rule_type is not None:
             if obj_type == 'network':
                 if 'v4' in rule_type and 'global' in rule_type:
-                    object_tables = [obj_dict['nw_obj_global_firewall/address'], obj_dict['nw_obj_global_firewall/addrgrp']]
+                    object_tables = [obj_dict['nw_obj_global_firewall/address'], obj_dict['nw_obj_global_firewall/addrgrp'], obj_dict['nw_obj_global_firewall/internet-service-basic'][0]['response']['results']]
                 elif 'v6' in rule_type and 'global' in rule_type:
                     object_tables = [obj_dict['nw_obj_global_firewall/address6'], obj_dict['nw_obj_global_firewall/addrgrp6']]
                 elif 'v4' in rule_type and 'adom' in rule_type:
                     object_tables = [obj_dict['nw_obj_adom_firewall/address'], obj_dict['nw_obj_adom_firewall/addrgrp'], \
                         obj_dict['nw_obj_global_firewall/address'], obj_dict['nw_obj_global_firewall/addrgrp'], \
-                        obj_dict['nw_obj_adom_firewall/vip'] ]
+                        obj_dict['nw_obj_adom_firewall/vip'], obj_dict['nw_obj_adom_system/external-resource'], \
+                        obj_dict['nw_obj_global_firewall/internet-service-basic'][0]['response']['results'] ]
                 elif 'v6' in rule_type and 'adom' in rule_type:
                     object_tables = [obj_dict['nw_obj_adom_firewall/address6'], obj_dict['nw_obj_adom_firewall/addrgrp6'], \
                         obj_dict['nw_obj_global_firewall/address6'], obj_dict['nw_obj_global_firewall/addrgrp6']]
@@ -235,7 +256,13 @@ def resolve_raw_objects (obj_name_string_list, delimiter, obj_dict, name_key, ui
                     else:
                         for obj in tab:
                             if obj[name_key] == el:
-                                ref_list.append(obj[uid_key])
+                                if uid_key in obj:
+                                    ref_list.append(obj[uid_key])
+                                # in case of internet-service-object we find no uid field, but custom q_origin_key_
+                                elif 'q_origin_key' in obj:
+                                    ref_list.append('q_origin_key_' + str(obj['q_origin_key']))
+                                else:
+                                    logger.error('found object without expected uid')
                                 break_flag = True
                                 found = True
                                 break

roles/importer/files/importer/fortiadom5ff/fmgr_rule.py

@@ -184,6 +184,7 @@ def normalize_access_rules(full_config, config2import, import_id, mgm_details={}
                     rule['rule_svc'] = extend_string_list(rule['rule_svc'], rule_orig, 'service', list_delimiter, jwt=jwt, import_id=import_id)
                     rule['rule_src'] = extend_string_list(rule['rule_src'], rule_orig, 'srcaddr6', list_delimiter, jwt=jwt, import_id=import_id)
                     rule['rule_dst'] = extend_string_list(rule['rule_dst'], rule_orig, 'dstaddr6', list_delimiter, jwt=jwt, import_id=import_id)
+                    rule['rule_src'] = extend_string_list(rule['rule_src'], rule_orig, 'internet-service-src-name', list_delimiter, jwt=jwt, import_id=import_id)
 
                     if len(rule_orig['srcintf'])>0:
                         src_obj_zone = fmgr_zone.add_zone_if_missing (config2import, rule_orig['srcintf'][0], import_id)
@@ -194,6 +195,8 @@ def normalize_access_rules(full_config, config2import, import_id, mgm_details={}
 
                     if 'srcaddr-negate' in rule_orig:
                         rule.update({ 'rule_src_neg': rule_orig['srcaddr-negate']=='disable'})
+                    elif 'internet-service-src-negate' in rule_orig:
+                        rule.update({ 'rule_src_neg': rule_orig['internet-service-src-negate']=='disable'})
                     if 'dstaddr-negate' in rule_orig:
                         rule.update({ 'rule_dst_neg': rule_orig['dstaddr-negate']=='disable'})
                     if 'service-negate' in rule_orig:
@@ -411,9 +414,9 @@ def handle_combined_nat_rule(rule, rule_orig, config2import, nat_rule_number, im
                 if hideInterface is not None:
                     obj_name = 'hide_IF_ip_' + str(hideInterface) + '_' + str(destination_interface_ip)
                     obj_comment = 'FWO auto-generated dummy object for source nat'
-                    if type(ipaddress.ip_address(str(destination_interface_ip))) is ipaddress.IPv6Address:
+                    if destination_interface_ip is not None and type(ipaddress.ip_address(str(destination_interface_ip))) is ipaddress.IPv6Address:
                         HideNatIp = str(destination_interface_ip) + '/128'
-                    elif type(ipaddress.ip_address(str(destination_interface_ip))) is ipaddress.IPv4Address:
+                    elif destination_interface_ip is not None and type(ipaddress.ip_address(str(destination_interface_ip))) is ipaddress.IPv4Address:
                         HideNatIp = str(destination_interface_ip) + '/32'
                     else:
                         HideNatIp = '0.0.0.0/32'

roles/importer/files/importer/fortiadom5ff/fwcommon.py

@@ -14,7 +14,7 @@
 
 scope = ['global', 'adom']
 nw_obj_types = ['firewall/address', 'firewall/address6', 'firewall/addrgrp',
-                'firewall/addrgrp6', 'firewall/ippool', 'firewall/vip']
+                'firewall/addrgrp6', 'firewall/ippool', 'firewall/vip', 'system/external-resource']
 svc_obj_types = ['application/list', 'application/group', 'application/categories',
                  'application/custom', 'firewall/service/custom', 'firewall/service/group']
 
@@ -107,6 +107,7 @@ def get_config(config2import, full_config, current_import_id, mgm_details, limit
 
 
 def getObjects(sid, fm_api_url, raw_config, adom_name, limit, scope, nw_obj_types, svc_obj_types):
+    logger = getFwoLogger()
     # get those objects that exist globally and on adom level
     for s in scope:
         # get network objects:
@@ -137,6 +138,35 @@ def getObjects(sid, fm_api_url, raw_config, adom_name, limit, scope, nw_obj_type
                 adom_scope = s
             fmgr_getter.update_config_with_fortinet_api_call(
                 raw_config, sid, fm_api_url, "/pm/config/"+adom_scope+"/obj/" + object_type, "user_obj_" + s + "_" + object_type, limit=limit)
+            
+    # get one arbitrary device and vdom to get dynamic objects
+    # they are equal across all adoms, vdoms, devices
+    devices = fmgr_getter.fortinet_api_call(sid, fm_api_url, '/dvmdb/adom/' + adom_name + '/device')
+    if len(devices)>0 and 'name' in devices[0] and 'vdom' in devices[0] and 'name' in devices[0]['vdom'][0]:
+        arbitraryDevice = devices[0]['name']
+        arbitraryVdom = devices[0]['vdom'][0]['name']
+    else:
+        logger.error('no device or vdom info for adom: ' + adom_name)
+
+    # get dynamic objects
+    payload = {
+        'params': [
+            {
+                'data': {
+                    'action': 'get',
+                    'resource': '/api/v2/monitor/firewall/internet-service-basic?vdom=' + arbitraryVdom,
+                    'target': [
+                        'adom/' + adom_name + '/device/' + arbitraryDevice
+                    ]
+                }
+            }
+        ]
+    }
+    fmgr_getter.update_config_with_fortinet_api_call(
+        raw_config, sid, fm_api_url, "sys/proxy/json", "nw_obj_global_firewall/internet-service-basic", limit=limit, payload=payload, method='exec')
+
+
+
 
 
 # def getZones(sid, fm_api_url, raw_config, adom_name, limit, debug_level):