FTD schemes update

2025-01-19 16:28:43 +03:00 · 2025-01-19 16:28:43 +03:00 · 3c17bb66fa
commit 3c17bb66fa
parent 000719166f
6 changed files with 335 additions and 64 deletions
--- a/drawings/cisco_ftd/ftd_any_any_rules.puml
+++ b/drawings/cisco_ftd/ftd_any_any_rules.puml
@ -0,0 +1,41 @@
+
+@startuml
+Title Алгоритм поиска ANY-ANY правил Cisco FTD
+
+!define DZ <font color=green>destination_zone</font> 
+!define SZ <font color=blue>source_zone</font> 
+!define NOT_VALID #pink:Правило <b>не</b> относится входящим/исходящим;
+
+start
+:Получаем правило Cisco FTD;
+:Смотрим на такие поля как:
+- SZ
+- DZ;
+if (SZ, DZ пустые?) then (Да)
+    :Значит у SZ и DZ
+    стоят значение any;
+    :Правило двунаправленное;
+    NOT_VALID
+    stop
+else (Нет)
+    switch (Проверка SZ и DZ на следующие кейсы) 
+    case ( SZ пустое\n DZ не пустое) 
+        #palegreen:Правило является входящим;
+        stop
+    case ( SZ не пустое\n DZ пустое) 
+        #palegreen:Правило является исходящим;
+        stop
+    case ( SZ не пустое\n DZ не пустое) 
+        if (SZ == DZ) then (Да)
+            :Правило двунаправленное;
+            NOT_VALID
+            stop
+        else (Нет)
+            :Правило также возможно\nдвунаправленное;
+            NOT_VALID
+            stop
+        endif
+    endswitch
+endif
+
+@enduml
--- a/drawings/cisco_ftd/ftd_incoming_outgoing_rules.puml
+++ b/drawings/cisco_ftd/ftd_incoming_outgoing_rules.puml
@ -0,0 +1,40 @@
+@startuml
+Title Алгоритм поиска входящих/исходящих правил Cisco FTD
+
+!define DZ <font color=green>destination_zone</font> 
+!define SZ <font color=blue>source_zone</font> 
+!define NOT_VALID #pink:Правило <b>не</b> относится входящим/исходящим;
+
+start
+:Получаем правило Cisco FTD;
+:Смотрим на такие поля как:
+- SZ
+- DZ;
+if (SZ, DZ пустые?) then (Да)
+    :Значит у SZ и DZ
+    стоят значение any;
+    :Правило двунаправленное;
+    NOT_VALID
+    stop
+else (Нет)
+    switch (Проверка SZ и DZ на следующие кейсы) 
+    case ( SZ пустое\n DZ не пустое) 
+        #palegreen:Правило является входящим;
+        stop
+    case ( SZ не пустое\n DZ пустое) 
+        #palegreen:Правило является исходящим;
+        stop
+    case ( SZ не пустое\n DZ не пустое) 
+        if (SZ == DZ) then (Да)
+            :Правило двунаправленное;
+            NOT_VALID
+            stop
+        else (Нет)
+            :Правило также возможно\nдвунаправленное;
+            NOT_VALID
+            stop
+        endif
+    endswitch
+endif
+
+@enduml
--- a/drawings/cisco_ftd/ftd_rule_scheme.puml
+++ b/drawings/cisco_ftd/ftd_rule_scheme.puml
@ -0,0 +1,33 @@
+@startuml
+
+!include ./schemes_setup.wsd
+
+$table("CiscoFTDRuleModel", "CiscoFTDRuleModel") {
+    $pk("id") INTEGER NOT NULL
+    $column("action") VARCHAR
+    $column("name") VARCHAR
+    $column("position") VARCHAR
+    $column("rule_hits") VARCHAR
+    $column("safe_search") VARCHAR
+    $column("variable_set") VARCHAR
+}
+
+$table("CiscoFTDApplicationModel","CiscoFTDApplicationModel")   {
+    $pk("id") INTEGER NOT NULL
+    $fk("rule_id") INTEGER NOT NULL
+    $column("name") VARCHAR
+    $column("port") VARCHAR
+}
+CiscoFTDApplicationModel::rule_id }o--|| CiscoFTDRuleModel::id
+
+$table("CiscoFTDLoggingModel","CiscoFTDLoggingModel")   {
+    $pk("id") INTEGER NOT NULL
+    $fk("rule_id") INTEGER NOT NULL
+    $column("device_connector_beginning") BOOLEAN
+    $column("device_connector_end") BOOLEAN
+    $column("device_connector_files") BOOLEAN
+    $column("enabled") BOOLEAN
+}
+CiscoFTDLoggingModel::rule_id }o--|| CiscoFTDRuleModel::id
+
+@enduml
--- a/drawings/cisco_ftd/ftd_rules.puml
+++ b/drawings/cisco_ftd/ftd_rules.puml
@ -1,74 +1,149 @@
@startuml 
-package time_range {
+!include ./schemes_setup.wsd

-}
-package eff_start_dt {
+Title Cisco FTD pydantic rule scheme

-}
-package eff_end_dt {
-
-}
-package start_time {
-
-}
-package end_time {
-
-}
-package days {
-
-}
-package source_networks {
-
-}
-package destination_zones {
-
-}
-
-package source_zones {
-
-}
-package source_ise_metadata {
-
-}
-package action {
-
-}
-package position {
-
-}
-
-package name {
+class CiscoFTDPolicyPyModel {
+    action : str
+    applications : Optional[List]
+    destination_networks : Optional[List]
+    destination_ports : Optional[List]
+    destination_zones : Optional[List]
+    logging : Optional[]
+    name : str
+    position : int
+    rule_hits : int
+    safe_search : bool
+    source_networks : Optional[List]
+    source_ports : Optional[List]
+    source_zones : Optional[List]
+    time_range : Optional[]
+    url_entries : Optional[List]
+    usernames : Optional[List]
+    variable_set : str
 }


-map CiscoFTDRule {
-    name *-> name
-    position *-> position
-    action *-> action
-    source_ise_metadata *-> source_ise_metadata
-    source_zones *-> source_zones
-    destination_zones *-> destination_zones
-    source_networks *-> source_networks
-    destination_networks =>
-    source_ports =>
-    destination_ports =>
-    application =>
-    username =>
-    urls =>
-    dc =>
-    beginning =>
-    end =>
-    files =>
-    safe_search =>
-    rule_hits =>
-    variable_set =>
-    time_range *-> time_range
-    eff_start_dt *-> eff_start_dt
-    eff_end_dt *-> eff_end_dt
-    start_time *-> start_time
-    end_time *-> end_time
-    days *-> days
+
+class CiscoFTDLoggingModel {
+    device_connector_beginning : bool
+    device_connector_end : bool
+    device_connector_files : bool
+    enabled : bool
+}
+CiscoFTDPolicyPyModel::logging o-- CiscoFTDLoggingModel
+
+class CiscoFTDZonePyModel {
+  name : str
+}
+CiscoFTDPolicyPyModel::source_zones o-- CiscoFTDZonePyModel
+CiscoFTDPolicyPyModel::destination_zones o-- CiscoFTDZonePyModel
+
+class CiscoFTDURLEntryPyModel {
+  name : str
+  url : str
+}
+CiscoFTDPolicyPyModel::url_entries o-- CiscoFTDURLEntryPyModel
+
+class CiscoFTDUsernamePyModel {
+  username : str
+}
+CiscoFTDPolicyPyModel::usernames o-- CiscoFTDUsernamePyModel
+
+package ports {
+    class CiscoFTDPortPyModel {
+        name : str
+        port : Union[]
+        protocol : int
+    }
+    CiscoFTDPolicyPyModel::source_ports o-- CiscoFTDPortPyModel
+    CiscoFTDPolicyPyModel::destination_ports o-- CiscoFTDPortPyModel
+
+    class CiscoFTDPortSingleValuePyModel {
+        value : int
+    }
+    CiscoFTDPortPyModel::port o-- CiscoFTDPortSingleValuePyModel
+
+    class CiscoFTDPortRangeValuePyModel {
+        end : int
+        start : int
+    }
+    CiscoFTDPortPyModel::port o-- CiscoFTDPortRangeValuePyModel
+
+    
 }


+package time_range{
+    class CiscoFTDTimeRangePyModel {
+        eff_end_datetime : Optional[str]
+        eff_start_datetime : Optional[str]
+        name : str
+        time_range : Union[]
+        time_range_type
+    }
+    CiscoFTDPolicyPyModel::time_range o-- CiscoFTDTimeRangePyModel
+
+    class CiscoFTDTimeRangeRangeIntervalPyModel {
+        end_day : Optional[str]
+        end_time : Optional[str]
+        start_day : Optional[str]
+        start_time : Optional[str]
+    }
+    CiscoFTDTimeRangeRangeIntervalPyModel o-- CiscoFTDTimeRangePyModel::time_range
+
+    class CiscoFTDTimeRangeDailyIntervalPyModel {
+        days : Optional[str]
+        end_time : Optional[str]
+        start_time : Optional[str]
+    }
+    CiscoFTDTimeRangeDailyIntervalPyModel o-- CiscoFTDTimeRangePyModel::time_range
+}
+
+package source_destinations {
+
+    class CiscoFTDNetworkRootPyModel {
+        name : str
+        object_type: Enum
+    }
+    CiscoFTDPolicyPyModel::source_networks o-- CiscoFTDNetworkRootPyModel
+    CiscoFTDPolicyPyModel::destination_networks o-- CiscoFTDNetworkRootPyModel
+
+    class CiscoFTDNetworkCountriesGroupPyModel {
+        countries_count : int
+    }
+    CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkCountriesGroupPyModel
+
+    class CiscoFTDNetworkCountryPyModel {
+    }
+    CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkCountryPyModel
+
+    class CiscoFTDNetworkFQDNObjectPyModel {
+        fqdn_address : str
+    }
+    CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkFQDNObjectPyModel
+
+    class CiscoFTDNetworkGroupPyModel {
+    }
+    CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkGroupPyModel
+
+    class CiscoFTDNetworkIPv4NetworkPyModel {
+        address : str
+        netmask : Optional[int]
+    }
+    CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkIPv4NetworkPyModel
+
+    class CiscoFTDNetworkIPv6NetworkPyModel {
+        address : str
+        prefix_length : Optional[int]
+    }
+    CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkIPv6NetworkPyModel
+
+    class CiscoFTDNetworkRangePyModel {
+        end_address : str
+        start_address : str
+    }
+    CiscoFTDNetworkRootPyModel <|-- CiscoFTDNetworkRangePyModel
+}
+
@enduml
--- a/drawings/cisco_ftd/ftd_rules_downloader_service.puml
+++ b/drawings/cisco_ftd/ftd_rules_downloader_service.puml
@ -0,0 +1,51 @@
+@startuml
+class InitServiceMixin {
+  firewall
+  services_classes : dict
+}
+
+class RulesDownloaderService {
+  services_classes : dict
+  get_all_rules()
+  remove_oldest_objects()
+}
+
+RulesDownloaderService --|> InitServiceMixin
+package "CISCO firewalls downloaders" {
+class CiscoFTDDownloaderService {
+  CLASS_NAME : str
+  cisco_ftd
+  create_rule(rule: CiscoFTDPolicyPyModel) -> Optional[Rule]
+  download_rules_from_firewall() -> List[dict]
+  load_rules_to_database(rules: List[CiscoFTDPolicyPyModel]) -> List[Rule]
+}
+CiscoFTDDownloaderService --* RulesDownloaderService
+
+
+class CiscoDownloaderService {
+  all_objects_by_context : dict
+  create_rule(rule: models.CiscoRule) -> Rule
+  download_rules_from_firewall() -> List[dict]
+  get_action(rule: models.CiscoRule) -> str
+  get_context(rule: models.CiscoRule) -> str
+  get_description(rule: models.CiscoRule) -> str
+  get_destinations(rule: models.CiscoRule) -> List[NetworkObject]
+  get_enabled(rule: models.CiscoRule) -> bool
+  get_logging(rule: models.CiscoRule) -> Optional[Logging]
+  get_name(rule: models.CiscoRule) -> str
+  get_parsed_data(rule: models.CiscoRule) -> dict
+  get_path_to_rule(rule: models.CiscoRule) -> dict
+  get_policy_name(rule: models.CiscoRule) -> str
+  get_position(rule: models.CiscoRule) -> int
+  get_rule_id(rule: models.CiscoRule) -> str
+  get_services(rule: models.CiscoRule) -> List
+  get_sources(rule: models.CiscoRule) -> List[NetworkObject]
+  get_times(rule: models.CiscoRule) -> List[Time]
+  get_users(rule: models.CiscoRule) -> List[User]
+  load_rules_to_database(rules: List[dict]) -> List[Rule]
+}
+}
+
+CiscoDownloaderService --* RulesDownloaderService
+
+@enduml
--- a/drawings/cisco_ftd/schemes_setup.wsd
+++ b/drawings/cisco_ftd/schemes_setup.wsd
@ -0,0 +1,31 @@
+@startuml
+hide empty methods
+
+!procedure $table($name, $slug)
+entity "<b>$name</b>" as $slug << (T, Orange) table >>
+!endprocedure
+
+!procedure $type($name, $slug)
+entity "<b>$name</b>" as $slug << (E, Cyan) type (enum) >>
+!endprocedure
+
+!procedure $pk($name)
+<color:#GoldenRod><&key></color> <b><i>$name</i></b>: 
+!endprocedure
+
+!procedure $enum_link($name)
+<color:#Orange><&tag></color> <i>$name</i>: 
+!endprocedure
+
+!procedure $fk($name)
+<color:#Silver><&key></color> <i>$name</i>:
+!endprocedure
+
+!procedure $column($name)
+{field} <color:#grey><&chevron-right></color> <i>$name</i>:
+!endprocedure
+
+!procedure $enum_field($name)
+{field} <color:#grey><&chevron-right></color> $name
+!endprocedure
+@enduml