From 3c17bb66faf37a3c0bd513f6a3e167649b58b11e Mon Sep 17 00:00:00 2001 From: pro100ton Date: Sun, 19 Jan 2025 16:28:43 +0300 Subject: [PATCH] FTD schemes update --- drawings/cisco_ftd/ftd_any_any_rules.puml | 41 ++++ .../ftd_incoming_outgoing_rules.puml | 40 ++++ drawings/cisco_ftd/ftd_rule_scheme.puml | 33 +++ drawings/cisco_ftd/ftd_rules.puml | 203 ++++++++++++------ .../ftd_rules_downloader_service.puml | 51 +++++ drawings/cisco_ftd/schemes_setup.wsd | 31 +++ 6 files changed, 335 insertions(+), 64 deletions(-) create mode 100644 drawings/cisco_ftd/ftd_any_any_rules.puml create mode 100644 drawings/cisco_ftd/ftd_incoming_outgoing_rules.puml create mode 100644 drawings/cisco_ftd/ftd_rule_scheme.puml create mode 100644 drawings/cisco_ftd/ftd_rules_downloader_service.puml create mode 100644 drawings/cisco_ftd/schemes_setup.wsd diff --git a/drawings/cisco_ftd/ftd_any_any_rules.puml b/drawings/cisco_ftd/ftd_any_any_rules.puml new file mode 100644 index 0000000..516e23f --- /dev/null +++ b/drawings/cisco_ftd/ftd_any_any_rules.puml @@ -0,0 +1,41 @@ + +@startuml +Title Алгоритм поиска ANY-ANY правил Cisco FTD + +!define DZ destination_zone +!define SZ source_zone +!define NOT_VALID #pink:Правило не относится входящим/исходящим; + +start +:Получаем правило Cisco FTD; +:Смотрим на такие поля как: +- SZ +- DZ; +if (SZ, DZ пустые?) then (Да) + :Значит у SZ и DZ + стоят значение any; + :Правило двунаправленное; + NOT_VALID + stop +else (Нет) + switch (Проверка SZ и DZ на следующие кейсы) + case ( SZ пустое\n DZ не пустое) + #palegreen:Правило является входящим; + stop + case ( SZ не пустое\n DZ пустое) + #palegreen:Правило является исходящим; + stop + case ( SZ не пустое\n DZ не пустое) + if (SZ == DZ) then (Да) + :Правило двунаправленное; + NOT_VALID + stop + else (Нет) + :Правило также возможно\nдвунаправленное; + NOT_VALID + stop + endif + endswitch +endif + +@enduml \ No newline at end of file diff --git a/drawings/cisco_ftd/ftd_incoming_outgoing_rules.puml b/drawings/cisco_ftd/ftd_incoming_outgoing_rules.puml new file mode 100644 index 0000000..fe5a2d0 --- /dev/null +++ b/drawings/cisco_ftd/ftd_incoming_outgoing_rules.puml @@ -0,0 +1,40 @@ +@startuml +Title Алгоритм поиска входящих/исходящих правил Cisco FTD + +!define DZ destination_zone +!define SZ source_zone +!define NOT_VALID #pink:Правило не относится входящим/исходящим; + +start +:Получаем правило Cisco FTD; +:Смотрим на такие поля как: +- SZ +- DZ; +if (SZ, DZ пустые?) then (Да) + :Значит у SZ и DZ + стоят значение any; + :Правило двунаправленное; + NOT_VALID + stop +else (Нет) + switch (Проверка SZ и DZ на следующие кейсы) + case ( SZ пустое\n DZ не пустое) + #palegreen:Правило является входящим; + stop + case ( SZ не пустое\n DZ пустое) + #palegreen:Правило является исходящим; + stop + case ( SZ не пустое\n DZ не пустое) + if (SZ == DZ) then (Да) + :Правило двунаправленное; + NOT_VALID + stop + else (Нет) + :Правило также возможно\nдвунаправленное; + NOT_VALID + stop + endif + endswitch +endif + +@enduml \ No newline at end of file diff --git a/drawings/cisco_ftd/ftd_rule_scheme.puml b/drawings/cisco_ftd/ftd_rule_scheme.puml new file mode 100644 index 0000000..b497e12 --- /dev/null +++ b/drawings/cisco_ftd/ftd_rule_scheme.puml @@ -0,0 +1,33 @@ +@startuml + +!include ./schemes_setup.wsd + +$table("CiscoFTDRuleModel", "CiscoFTDRuleModel") { + $pk("id") INTEGER NOT NULL + $column("action") VARCHAR + $column("name") VARCHAR + $column("position") VARCHAR + $column("rule_hits") VARCHAR + $column("safe_search") VARCHAR + $column("variable_set") VARCHAR +} + +$table("CiscoFTDApplicationModel","CiscoFTDApplicationModel") { + $pk("id") INTEGER NOT NULL + $fk("rule_id") INTEGER NOT NULL + $column("name") VARCHAR + $column("port") VARCHAR +} +CiscoFTDApplicationModel::rule_id }o--|| CiscoFTDRuleModel::id + +$table("CiscoFTDLoggingModel","CiscoFTDLoggingModel") { + $pk("id") INTEGER NOT NULL + $fk("rule_id") INTEGER NOT NULL + $column("device_connector_beginning") BOOLEAN + $column("device_connector_end") BOOLEAN + $column("device_connector_files") BOOLEAN + $column("enabled") BOOLEAN +} +CiscoFTDLoggingModel::rule_id }o--|| CiscoFTDRuleModel::id + +@enduml \ No newline at end of file diff --git a/drawings/cisco_ftd/ftd_rules.puml b/drawings/cisco_ftd/ftd_rules.puml index 9dc7482..43e8341 100644 --- a/drawings/cisco_ftd/ftd_rules.puml +++ b/drawings/cisco_ftd/ftd_rules.puml @@ -1,74 +1,149 @@ @startuml -package time_range { +!include ./schemes_setup.wsd -} -package eff_start_dt { +Title Cisco FTD pydantic rule scheme -} -package eff_end_dt { - -} -package start_time { - -} -package end_time { - -} -package days { - -} -package source_networks { - -} -package destination_zones { - -} - -package source_zones { - -} -package source_ise_metadata { - -} -package action { - -} -package position { - -} - -package name { +class CiscoFTDPolicyPyModel { + action : str + applications : Optional[List] + destination_networks : Optional[List] + destination_ports : Optional[List] + destination_zones : Optional[List] + logging : Optional[] + name : str + position : int + rule_hits : int + safe_search : bool + source_networks : Optional[List] + source_ports : Optional[List] + source_zones : Optional[List] + time_range : Optional[] + url_entries : Optional[List] + usernames : Optional[List] + variable_set : str } -map CiscoFTDRule { - name *-> name - position *-> position - action *-> action - source_ise_metadata *-> source_ise_metadata - source_zones *-> source_zones - destination_zones *-> destination_zones - source_networks *-> source_networks - destination_networks => - source_ports => - destination_ports => - application => - username => - urls => - dc => - beginning => - end => - files => - safe_search => - rule_hits => - variable_set => - time_range *-> time_range - eff_start_dt *-> eff_start_dt - eff_end_dt *-> eff_end_dt - start_time *-> start_time - end_time *-> end_time - days *-> days + +class CiscoFTDLoggingModel { + device_connector_beginning : bool + device_connector_end : bool + device_connector_files : bool + enabled : bool +} +CiscoFTDPolicyPyModel::logging o-- CiscoFTDLoggingModel + +class CiscoFTDZonePyModel { + name : str +} +CiscoFTDPolicyPyModel::source_zones o-- CiscoFTDZonePyModel +CiscoFTDPolicyPyModel::destination_zones o-- CiscoFTDZonePyModel + +class CiscoFTDURLEntryPyModel { + name : str + url : str +} +CiscoFTDPolicyPyModel::url_entries o-- CiscoFTDURLEntryPyModel + +class CiscoFTDUsernamePyModel { + username : str +} +CiscoFTDPolicyPyModel::usernames o-- CiscoFTDUsernamePyModel + +package ports { + class CiscoFTDPortPyModel { + name : str + port : Union[] + protocol : int + } + CiscoFTDPolicyPyModel::source_ports o-- CiscoFTDPortPyModel + CiscoFTDPolicyPyModel::destination_ports o-- CiscoFTDPortPyModel + + class CiscoFTDPortSingleValuePyModel { + value : int + } + CiscoFTDPortPyModel::port o-- CiscoFTDPortSingleValuePyModel + + class CiscoFTDPortRangeValuePyModel { + end : int + start : int + } + CiscoFTDPortPyModel::port o-- CiscoFTDPortRangeValuePyModel + + } +package time_range{ + class CiscoFTDTimeRangePyModel { + eff_end_datetime : Optional[str] + eff_start_datetime : Optional[str] + name : str + time_range : Union[] + time_range_type + } + CiscoFTDPolicyPyModel::time_range o-- CiscoFTDTimeRangePyModel + + class CiscoFTDTimeRangeRangeIntervalPyModel { + end_day : Optional[str] + end_time : Optional[str] + start_day : Optional[str] + start_time : Optional[str] + } + CiscoFTDTimeRangeRangeIntervalPyModel o-- CiscoFTDTimeRangePyModel::time_range + + class CiscoFTDTimeRangeDailyIntervalPyModel { + days : Optional[str] + end_time : Optional[str] + start_time : Optional[str] + } + CiscoFTDTimeRangeDailyIntervalPyModel o-- CiscoFTDTimeRangePyModel::time_range +} + +package source_destinations { + + class CiscoFTDNetworkRootPyModel { + name : str + object_type: Enum + } + CiscoFTDPolicyPyModel::source_networks o-- CiscoFTDNetworkRootPyModel + CiscoFTDPolicyPyModel::destination_networks o-- CiscoFTDNetworkRootPyModel + + class CiscoFTDNetworkCountriesGroupPyModel { + countries_count : int + } + CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkCountriesGroupPyModel + + class CiscoFTDNetworkCountryPyModel { + } + CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkCountryPyModel + + class CiscoFTDNetworkFQDNObjectPyModel { + fqdn_address : str + } + CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkFQDNObjectPyModel + + class CiscoFTDNetworkGroupPyModel { + } + CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkGroupPyModel + + class CiscoFTDNetworkIPv4NetworkPyModel { + address : str + netmask : Optional[int] + } + CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkIPv4NetworkPyModel + + class CiscoFTDNetworkIPv6NetworkPyModel { + address : str + prefix_length : Optional[int] + } + CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkIPv6NetworkPyModel + + class CiscoFTDNetworkRangePyModel { + end_address : str + start_address : str + } + CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkRangePyModel +} + @enduml \ No newline at end of file diff --git a/drawings/cisco_ftd/ftd_rules_downloader_service.puml b/drawings/cisco_ftd/ftd_rules_downloader_service.puml new file mode 100644 index 0000000..fe90c3a --- /dev/null +++ b/drawings/cisco_ftd/ftd_rules_downloader_service.puml @@ -0,0 +1,51 @@ +@startuml +class InitServiceMixin { + firewall + services_classes : dict +} + +class RulesDownloaderService { + services_classes : dict + get_all_rules() + remove_oldest_objects() +} + +RulesDownloaderService --|> InitServiceMixin +package "CISCO firewalls downloaders" { +class CiscoFTDDownloaderService { + CLASS_NAME : str + cisco_ftd + create_rule(rule: CiscoFTDPolicyPyModel) -> Optional[Rule] + download_rules_from_firewall() -> List[dict] + load_rules_to_database(rules: List[CiscoFTDPolicyPyModel]) -> List[Rule] +} +CiscoFTDDownloaderService --* RulesDownloaderService + + +class CiscoDownloaderService { + all_objects_by_context : dict + create_rule(rule: models.CiscoRule) -> Rule + download_rules_from_firewall() -> List[dict] + get_action(rule: models.CiscoRule) -> str + get_context(rule: models.CiscoRule) -> str + get_description(rule: models.CiscoRule) -> str + get_destinations(rule: models.CiscoRule) -> List[NetworkObject] + get_enabled(rule: models.CiscoRule) -> bool + get_logging(rule: models.CiscoRule) -> Optional[Logging] + get_name(rule: models.CiscoRule) -> str + get_parsed_data(rule: models.CiscoRule) -> dict + get_path_to_rule(rule: models.CiscoRule) -> dict + get_policy_name(rule: models.CiscoRule) -> str + get_position(rule: models.CiscoRule) -> int + get_rule_id(rule: models.CiscoRule) -> str + get_services(rule: models.CiscoRule) -> List + get_sources(rule: models.CiscoRule) -> List[NetworkObject] + get_times(rule: models.CiscoRule) -> List[Time] + get_users(rule: models.CiscoRule) -> List[User] + load_rules_to_database(rules: List[dict]) -> List[Rule] +} +} + +CiscoDownloaderService --* RulesDownloaderService + +@enduml \ No newline at end of file diff --git a/drawings/cisco_ftd/schemes_setup.wsd b/drawings/cisco_ftd/schemes_setup.wsd new file mode 100644 index 0000000..c301ac7 --- /dev/null +++ b/drawings/cisco_ftd/schemes_setup.wsd @@ -0,0 +1,31 @@ +@startuml +hide empty methods + +!procedure $table($name, $slug) +entity "$name" as $slug << (T, Orange) table >> +!endprocedure + +!procedure $type($name, $slug) +entity "$name" as $slug << (E, Cyan) type (enum) >> +!endprocedure + +!procedure $pk($name) +<&key> $name: +!endprocedure + +!procedure $enum_link($name) +<&tag> $name: +!endprocedure + +!procedure $fk($name) +<&key> $name: +!endprocedure + +!procedure $column($name) +{field} <&chevron-right> $name: +!endprocedure + +!procedure $enum_field($name) +{field} <&chevron-right> $name +!endprocedure +@enduml \ No newline at end of file