search

CactuseSecurity / firewall-orchestrator

Network Security data repository for automation, reporting and compliance of firewall rules
https://fwo.cactus.de
Apache License 2.0
31 stars 12 forks source link

Importer: Add Dynamic Objects #2489

Open alf-cactus opened 1 month ago

alf-cactus commented 1 month ago

Dynamic Objects IPs and Ports are provided by big tech companies, they can vary daily. Firewall Vendors seem to store these information in their own databases and provide them to the Firewall Managers via Internet.

Checkpoint

Distinguishes between Aplications (used in Service) and Updatable Objects (used in SRC and DST). I can't figure out how to get current ports for Applications or current IPs from Updatable Objects via API. The API call "show-updatable-objects-repository-content" returns "info-url" for each Updatable Object. This URL links to non-standardized documentation pages of the Internet Company. You can see this list online https://support.checkpoint.com/results/sk/sk131852

Fortinet

Internet Services contain IPs and Ports. They are stored in the Internet Services Database https://www.fortiguard.com/services/isdb You can get all names and IDs per API (see first payload) and get a full description with IPs and ports for each individual Internet Service (see second payload)

payload = {
        "id": 1,
        "method": "exec",
        "params": [
            {
                "data": {
                    "action": "get",
                    "resource": "/api/v2/monitor/firewall/internet-service-basic",
                    "target": [
                        "adom/<adom>/device/<device>"
                    ]
                },
                "url": "sys/proxy/json"
            }
        ],
        "session": mySessionId,
        "verbose": 1
    }

payload = {
        "id": 1,
        "method": "exec",
        "params": [
            {
                "data": {
                    "action": "get",
                    "resource": "/api/v2/monitor/firewall/internet-service-details?city_id=0&count=1000&country_id=0&id=327880&region_id=0&start=0",
                    "target": [
                        "adom/<adom>/device/<device>"
                    ]
                },
                "url": "sys/proxy/json"
            }
        ],
        "session": mySessionId,
        "verbose": 1
    }

Possible Solution

In "network_objects" define new "obj_typ" eg. "dynamic". Objects of this type should be interpreted as "internet objects". That means their IPs are not 0.0.0.0/0 but from a smaller set. This smaller set might be defined as a zone in the compliance matrix

tpurschke commented 1 month ago

could you also add sample results for the two API calls?