Merge pull request CactuseSecurity#2512 from tpurschke/fix/cp-import-groups-missing

hotfix/missing group members in cp importer

Author: tpurschke

documentation/revision-history-main.md

@@ -391,3 +391,7 @@ Maintenance release
 - owner-filtering for new report type
 - new setting for email recipients
 - owner-import custom script improvements#
+
+# 8.3.1 - 14.08.24 MAIN
+Hotfix:
+- in CheckPoint importer: fix missing group members

inventory/group_vars/all.yml

@@ -1,5 +1,5 @@
 ### general settings
-product_version: "8.3"
+product_version: "8.3.1"
 ansible_user: "{{ lookup('env', 'USER') }}"
 ansible_become_method: sudo
 ansible_python_interpreter: /usr/bin/python3

roles/importer/files/importer/checkpointR8x/cp_const.py

@@ -1,7 +1,10 @@
-details_level = "full"    # 'standard'
-use_object_dictionary = 'false'
+details_level = "standard"
+details_level_objects = "standard"
+details_level_group_objects = "full"
+use_object_dictionary = True
+with_hits = True
 
-# the following is the static across all installations unique any obj uid 
+# the following is the static across all installations unique any obj uid
 # cannot fetch the Any object via API (<=1.7) at the moment
 # therefore we have a workaround adding the object manually (as svc and nw)
 any_obj_uid = "97aeb369-9aea-11d5-bd16-0090272ccb30"
@@ -10,26 +13,27 @@
 original_obj_uid = "85c0f50f-6d8a-4528-88ab-5fb11d8fe16c"
 # used for nat only (both svc and nw obj)
 
-
 nw_obj_table_names = [
-    'hosts', 'networks', 'groups', 'address-ranges', 'multicast-address-ranges', 'groups-with-exclusion', 
-    'gateways-and-servers', 'simple-gateways', 
+    'hosts', 'networks', 'groups', 'address-ranges', 'multicast-address-ranges', 'groups-with-exclusion',
+    'gateways-and-servers', 'simple-gateways',
     'dns-domains', 'updatable-objects-repository-content',
-    'interoperable-devices'
+    'interoperable-devices', 'security-zones', 'Global', 'access-roles', 'updatable-objects'
 ]
 
 # simple as in: no groups
-simple_svc_obj_types = ['services-tcp', 'services-udp', 'services-dce-rpc', 'services-rpc', 'services-other', 
-                        'services-icmp', 'services-icmp6', 'services-sctp', 'services-gtp']
+simple_svc_obj_types = ['services-tcp', 'services-udp', 'services-dce-rpc', 'services-rpc', 'services-other',
+                        'services-icmp', 'services-icmp6', 'services-sctp', 'services-gtp', 'Global']
 group_svc_obj_types = ['service-groups', 'application-site-categories', 'application-sites']
 
 svc_obj_table_names = group_svc_obj_types + simple_svc_obj_types + [ 'CpmiAnyObject' ]
 # usr_obj_table_names : do not exist yet - not fetchable via API
 
 api_obj_types = nw_obj_table_names + svc_obj_table_names  # all obj table names to look at during import
 
+obj_types_full_fetch_needed = ['groups', 'groups-with-exclusion', 'updatable-objects'] + group_svc_obj_types
+
 cp_specific_object_types = [    # used for fetching enrichment data via "get object" separately (no specific API call)
     'simple-gateway', 'simple-cluster', 'CpmiVsClusterNetobj', 'CpmiVsxClusterNetobj', 'CpmiVsxClusterMember', 'CpmiVsNetobj',
-    'CpmiAnyObject', 'CpmiClusterMember', 'CpmiGatewayPlain', 'CpmiHostCkp', 'CpmiGatewayCluster', 'checkpoint-host', 
-    'cluster-member'
+    'CpmiAnyObject', 'CpmiVsxNetobj', 'CpmiClusterMember', 'CpmiGatewayPlain', 'CpmiHostCkp', 'CpmiGatewayCluster', 'checkpoint-host',
+    'cluster-member', 'CpmiVoipSipDomain'
 ]

roles/importer/files/importer/checkpointR8x/cp_enrich.py

@@ -128,6 +128,14 @@ def enrich_config (config, mgm_details, limit=150, details_level=cp_const.detail
                         'comments': obj['comments'], 'type': 'network', 'ipv4-address': '0.0.0.0/0',
                         } ] } ] }
                     config['object_tables'].append(json_obj)
+
+                elif (obj['type'] in ['Internet', 'security-zone']):
+                    json_obj = {"object_type": "hosts", "object_chunks": [ {
+                        "objects": [ {
+                        'uid': obj['uid'], 'name': obj['name'], 'color': obj['color'],
+                        'comments': obj['comments'], 'type': 'network', 'ipv4-address': '0.0.0.0/0',
+                        } ] } ] }
+                    config['object_tables'].append(json_obj)
                 elif (obj['type'] == 'access-role'):
                     pass # ignorning user objects
                 else:

roles/importer/files/importer/checkpointR8x/cp_network.py

@@ -71,6 +71,11 @@ def collect_nw_objects(object_table, nw_objects, debug_level=0, mgm_id=0):
                         obj_type = 'group'
                         # TODO: handle exclusion groups correctly
 
+                    if obj_type == 'security-zone':
+                        first_ip = '0.0.0.0/32'
+                        last_ip = '255.255.255.255/32'
+                        obj_type = 'network'
+
                     if obj_type == 'group':
                         first_ip = None
                         last_ip = None

roles/importer/files/importer/checkpointR8x/fwcommon.py

@@ -181,6 +181,10 @@ def get_objects(config_json, mgm_details, v_url, sid, force=False, config_filena
     show_params_objs = {'limit':limit,'details-level': cp_const.details_level}
 
     for obj_type in cp_const.api_obj_types:
+        if obj_type in cp_const.obj_types_full_fetch_needed:
+            show_params_objs.update({'details-level': cp_const.details_level_group_objects})
+        else:
+            show_params_objs.update({'details-level': cp_const.details_level_objects})
         object_table = { "object_type": obj_type, "object_chunks": [] }
         current=0
         total=current+1