Beschreibung:Mit dem folgenden Add-in Skript können Sie festlegen, welche Dienste von der Unified Firewall gefiltert werden. Liste der verwendeten Variablen:Add-In in Code:
exports.main = function (config, context) { // Function to create VRRP Entry var addVRRPEntry = function (routerID, routerIP, mainPrio, backupPrio, remoteSite, comment) { var table1_2_8_21_2 = config.getTableByOid("1.2.8.21.2"); var table_1_2_8_21_2_row_1 = table1_2_8_21_2.createNewRow(); table_1_2_8_21_2_row_1.setByOid(1, routerID); table_1_2_8_21_2_row_1.setByOid(2, routerIP); table_1_2_8_21_2_row_1.setByOid(3, mainPrio); table_1_2_8_21_2_row_1.setByOid(4, backupPrio); table_1_2_8_21_2_row_1.setByOid(5, remoteSite); table_1_2_8_21_2_row_1.setByOid(6, comment); table1_2_8_21_2.addOrMerge(table_1_2_8_21_2_row_1); }; // If Statement to only create VRRP Entry, if device has the variable VRRP_Prio if (context.vars.VRRP_PRIO != "") { config.setScalarByOid("1.2.8.21.1", "1"); // Function Call to create a new Entry addVRRPEntry("1", "10.10.10.254", context.vars.VRRP_PRIO, "0", "INTERNET", ""); } }; |
---|
Addin als JSON-Datei: {
var fwVersion = context.device.firmwareVersionObject;
var ufApi = config.getUfApi();
var networkName = context.network.name;
var nat = "left";
var freigaben = {
mail: true,
ping: true,
ssh: true,
telnet: false,
ipsec: true,
dns: false,
tcp: [
8080,
portRange(400, 500),
],
udp: [
234
]
};
var serviceMap = {
mail: [
predefinedService("internet.imap4s", nat, "leftToRight"),
predefinedService("internet.smtpsubmission", "left", "leftToRight"),
predefinedService("internet.smtps", nat, "leftToRight"),
predefinedService("internet.pop3s", nat, "leftToRight")
],
ping: [
predefinedService("standard.ping", nat, "both")
],
ssh: [
predefinedService("standard.ssh", nat, "leftToRight")
],
ipsec: [
predefinedService("vpn.ipsec", nat, "leftToRight")
],
dns: [
predefinedService("standard.dns", nat, "leftToRight")
],
};
freigaben.udp = Array.isArray(freigaben.udp) ? freigaben.udp : [];
freigaben.tcp = Array.isArray(freigaben.tcp) ? freigaben.tcp : [];
var services = [];
var serviceItem, proto, ports, i, j, portNumber;
if (freigaben.udp.length || freigaben.tcp.length) {
var protos = ["tcp", "udp"];
for (i = 0; i < protos.length; i++) {
proto = protos[i];
for (j = 0; j < freigaben[proto].length; j++) {
ports = freigaben[proto][j];
serviceItem = {
noproxy: true,
protocol: proto,
portfrom: 0,
portto: 0
};
if (typeof (ports) === "number" || typeof (ports) === "string") {
portNumber = parseInt(String(ports), 10);
serviceItem.portfrom = portNumber;
serviceItem.portto = portNumber;
} else if (typeof (ports) === "object"
&& ports.hasOwnProperty("portto")
&& ports.hasOwnProperty("portfrom")) {
serviceItem.portfrom = ports.portfrom;
serviceItem.portto = ports.portto;
} else {
continue;
}
services.push(serviceItem);
}
}
}
var extraRules = [];
if (services.length) {
var extraServiceName = String("Zusatz-Freigaben fuer " + networkName);
ufApi.createObject('userdefined-services', {
name: extraServiceName,
userdefined: true,
services: services
});
extraRules.push(
userdefinedService(
extraServiceName,
nat,
"leftToRight"
)
);
}
var keys = Object.keys(freigaben);
var serviceKey, rules, extraRule;
for (i = 0; i < keys.length; i++) {
serviceKey = keys[i];
if (freigaben.hasOwnProperty(serviceKey) && serviceKey != "tcp" && serviceKey != "udp") {
if (freigaben[serviceKey]) {
rules = serviceMap[serviceKey];
if (!rules || !rules.length) {
config.warnLog(String("Konnte keine Regeln für Dienst '" + serviceKey + "' bestimmen."));
continue;
}
for (j = 0; j < rules.length; j++) {
extraRule = rules[j];
extraRules.push(extraRule);
}
}
}
}
if (!extraRules.length) {
config.infoLog("Keine Extra-Freigaben");
return;
}
var desktopObjName = String("Lokale Extras " + networkName);
ufApi.raw({
method: 'POST',
uri: '/model/networks',
body: network(
ufApi.lookupField('networks', 'ipv4', { name: networkName }),
ufApi.lookupField('networks', 'interface', { name: networkName }),
desktopObjName
),
failOnError: false
});
ufApi.raw({
method: 'POST',
uri: '/model/desktop-connections/',
body: desktopConnection(
ufApi.lookup('networks', { name: desktopObjName }),
ufApi.lookup('internet', { name: "WAN" }),
extraRules
),
failOnError: false
});
var remoteDesktopObjName = String("Remote Extras " + networkName);
ufApi.raw({
method: 'POST',
uri: '/model/vpngroups',
body: vpnGroup(
ufApi.lookupField('vpngroups', 'vpngroupobjectitems', { name: String("Branch Site Networks for " + networkName) }),
remoteDesktopObjName
),
failOnError: false
});
ufApi.raw({
method: 'POST',
uri: '/model/desktop-connections/',
body: desktopConnection(
ufApi.lookup('vpngroups', { name: remoteDesktopObjName }),
ufApi.lookup('internet', { name: "WAN" }),
extraRules
),
failOnError: false
});
function vpnGroup(items, name) {
return {
"tags": [],
"type": "vpngroup",
"top": 111,
"color": 7891540,
"description": "",
"layer": 0,
"left": 222,
"icon": "vpn-network",
"name": name,
"vpngroupobjectitems": items
};
}
function network(ip, iface, name) {
return {
"tags": [],
"ipv4": ip,
"type": "network",
"interface": iface,
"top": 111,
"color": parseInt("7891540", 10),
"description": "",
"layer": 0,
"left": 222,
"icon": "network",
"nologin": false,
"name": name,
"exemptFromIdps": false,
"exemptFromAv": false
};
}
function desktopConnection(obja, objb, rules) {
var connectionDefinition = {
"objb": objb,
"appfilterRoutingProfiles": [],
"description": "",
"color": 1562591,
"rules": rules,
"obja": obja,
"points": [{"x": 1350, "type": "linepoint", "y": 222}, {
"x": 1350,
"type": "rulepoint",
"y": 282
}, {"x": 1320, "type": "linepoint", "y": 338}],
"blockall": false,
"trafficshaping": [],
"webfiltersettings": [],
"applicationfilter": {"mode": "off", "activeprofiles": []}
};
if (fwVersion.major === 10 && fwVersion.minor >= 8) {
delete connectionDefinition.trafficshaping;
connectionDefinition.trafficShaping = {
"trafficGroup": "",
"outgoingDscp": null
};
}
return connectionDefinition;
}
function userdefinedService(serviceName, natactive, action) {
return service(
ufApi.lookup("userdefined-services", { name: serviceName }),
natactive,
action,
true
);
}
function predefinedService(serviceName, natactive, action) {
return service(
ufApi.lookup("predefined-services", { name: serviceName }),
natactive,
action,
false
);
}
function service(lookup, natactive, action, editable) {
var serviceDefinition = {
"uniqueId": lookup,
"dmz": false,
"natactive": natactive,
"editable": editable,
"timeranges": [{
"endweekday": 0,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 0
}, {
"endweekday": 1,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 1
}, {
"endweekday": 2,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 2
}, {
"endweekday": 3,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 3
}, {
"endweekday": 4,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 4
}, {
"endweekday": 5,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 5
}, {
"endweekday": 6,
"repeattype": "weekly",
"endtime": "23:59:59",
"starttime": "00:00:00",
"startweekday": 6
}],
"action": action,
"trafficshaping": [],
"log": false,
"applicationfilter": {"useconnection": true, "activeprofiles": []}
};
if (fwVersion.major === 10 && fwVersion.minor >= 7) {
serviceDefinition.useConnection = false;
}
if (fwVersion.major === 10 && fwVersion.minor >= 8) {
delete serviceDefinition.trafficshaping;
serviceDefinition.useConnectionTrafficShaping = false;
serviceDefinition.trafficShaping = {
"trafficGroup": "",
"outgoingDscp": null
};
}
return serviceDefinition;
}
function portRange(a, b) {
a = parseInt(String(a), 10);
b = parseInt(String(b), 10);
if (a === b || !b) {
return a;
}
if (b < a) {
return portRange(b, a);
}
return {
portfrom: a,
portto: b
};
}
};
|
---|
Add-in als JSON-Datei: View file |
---|
name | uf-portfilter.json |
---|
height | 150 |
---|
|
|