importer: CP R80 handle inline layers

[tpurschke]

design

• layer handling (domain/global rules, sections, inline layer)
  • displaying policies as similiar to CP UI as possible
  • store the rule/(sub-)policy data in DB
  • allow for correct interpretation of rule parsing in all modules (starting with filtering)
  • make sure the layers get sorted out correctly (layer in layer vs. two layers on the same level)
  • --> defining relations (owner/app/rule) in separate table see issue #885

• parse inline layers (action='inner layer'), show access rulebase (see https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/show-access-rulebase-along-with-inline-layers/td-p/33199); example:

  show access-rulebase uid be146170-a996-47c8-acfd-2b7dfb9e6d0f use-object-dictionary true  --format json

  • decide how to represent this tree structure of layers/rulebases in the database
  • find out how layer guards are defined and how to represent them in the DB
  • decide how to show access-layers in UI (simply concatenate and show as a single policy?)
  • decide how to show inline layers in UI (simply as sections?)
  • decide how to deal with shared layers (simply duplicate and treat as separate?)
  • decide how to treat layer guards (simply ignore logic for the time being?)

Docs

• https://sc1.checkpoint.com/documents/R80/APIs/#gui-cli/show-access-layer%20
• https://github.com/CactuseSecurity/firewall-orchestrator/blob/master/test/importer/CP-R8x/iso_cp_r8x_api_get_layer_names.py

Recipe

• use "show-packages" cmd to get all packages including their access-layers
• use "show access-layers" cmd to list all layer names/ids
• use "show access-layer" cmd to list a single layer and its parent rule
• use show access-rulebase to display inline layer

prerequisites

• [ ] make sure parent rule is imported before child, otherwise stored procedure insert_single_rule is not working correctly
• [x] reflect layer structure in database (to be able to display rules correctly, e.g. rule numbers)

basic features

• [x] #911
• [x] allow multiple firewall layers (e.g. application
• [x] allow for multiple packages of a management having the same layer names --> work with UIDs instead?
• [x] how to we get the correct order of layers via API (if order is relevant at all)? https://fwmgmt/web_api/show-access-layers has
• [ ] disabled layer must result in all layer rules being disabled
• [ ] display layer brackets correctly (start and end of layer must be visible)

advanced features

• [ ] add semantic logic
  • [ ] layer guard and rules within layer need to "anded"
  • [ ] layer clean-up rule only valid within layer
  • [ ] allow for non-blocking clean-up rules which result in continuing the rule base
• [ ] make sure the scenarios "multiple gateways with the same package/layer" are covered (especially in auto-discovery) - avoid processing the same data x times for each gateway? --> would need to introduce an extra table between rule and device rule_gw
• [x] second reference (in sting prod gw) to inline layer in other rulebase (sting-test) is not resolved correctly without sting-test-gw being imported.
• [ ] how to logically link layer guard with rules in layer? --> AND of src, dst & svc between layer guard and each rule in layer?
• [ ] add is-inline-layer bool switch to rule table

[tpurschke]

inline layer planning

get config --> yields rules containing actions name "inner layer" with inline-layer attribute containing "name" of the inline layer and "uid": "5dffc910-a1e1-4f92-ad0d-77348d9a1e28", "name": "InlineLayer1", "type": "access-layer", "parent-layer": "0f45100c-e4ea-4dc1-bf22-74d9d98a4811", "firewall": true,

enrich config --> get additional layers referenced in top level layers by name also handle possible recursion (inline layer containing inline layer(s))

parsing during parsing add the inline layer at the correct position

next phase: how to logically link layer guard with rules in layer? --> AND of src, dst & svc between layer guard and each rule in layer?

---

example:

      ],
      "action": {
        "uid": "ea28da66-c5ed-11e2-bc66-aa5c6188709b",
        "name": "Inner Layer",
        "type": "Global",
        "domain": {
          "uid": "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
          "name": "Check Point Data",
          "domain-type": "data domain"
        },
        "color": "none",
        "meta-info": {
          "validation-state": "ok",
          "last-modify-time": {
            "posix": 1607331033974,
            "iso-8601": "2020-12-07T09:50+0100"
          },
          "last-modifier": "System",
          "creation-time": {
            "posix": 1607331033974,
            "iso-8601": "2020-12-07T09:50+0100"
          },
          "creator": "System"
        },
        "tags": [],
        "icon": "ApplicationFirewall/Rulebase",
        "comments": "Apply inline layer in case of rule match",
        "customFields": null
      },
      "action-settings": {},
      "inline-layer": {
        "uid": "5dffc910-a1e1-4f92-ad0d-77348d9a1e28",
        "name": "InlineLayer1",
        "type": "access-layer",
        "shared": false,
        "parent-layer": "0f45100c-e4ea-4dc1-bf22-74d9d98a4811",
        "applications-and-url-filtering": false,
        "content-awareness": false,
        "mobile-access": false,
        "firewall": true,
        "implicit-cleanup-action": "drop",
        "comments": "",